GDPR Compliance – Will U.S. Companies Be Ready?
CIO’s are focused on meeting the upcoming deadline for the EU’s new stringent data privacy laws. The compliance requirements are onerous. They not only cover in-house processing and storage, but extend the same requirements to cloud vendors and third-party partners.
What is GDPR?
Global Data Protection Regulation (GDPR) requires businesses to protect the personal data and privacy of EU citizens. While many countries and states already have regulations, GDPR will be the most comprehensive. GDPR sets a new standard for consumer rights regarding their data and now requires companies to be able to produce all pieces of information stored and to delete that data upon request.
When do GDPR requirements become effective?
The regulations were adopted by the EU Parliament in April 2016. The implementation deadline is May 25, 2018.
What companies must comply?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
- A presence in an EU country
- No presence in the EU, but it processes personal data of European residents
- More than 250 employees
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What are the key provisions under GDPR?
- Extraterritorial scope: application to any EU body or any data processor or controller processing data of EU citizens
- Penalties: up to 4% of global turnover or around $23.8 million (whichever is greater)
- Consent: companies need clear and understandable terms of how data is being used and a legal document in place that outlines both
- Data rights: including access to one’s data and the right to be forgotten or erased
- Protection by design and default: data controllers are responsible for data protection mechanisms before and during data processing. Auditing current data, centralizing data storage and eliminating shadow IT practices are important steps in this process.
- Data protection officers: to oversee public authorities, data processors and bodies engaging in large-scale monitoring
How will penalties be assessed?
Experts predict that regulators will act quickly to identify non-compliant companies to send a message. The fines and penalties associated with non-compliance are not specifically defined so these initial rulings will serve as a benchmark. It is estimated that the EU could collect billions in fines in the first year. In a global survey released in April by Veritas, one out of every five companies expressed fears that GDPR fines could put them out of business.
GDPR is changing the landscape for how American companies manage and protect the data of EU citizens. As the deadline quickly approaches, IT teams are working diligently and Wall Street is keeping a watchful eye on the progress of these projects.
Contributed by Amy Noel