More than 17 years after its last round of regulations regarding personal data protection, the EU strikes back with the General Data Protection Regulation (GDPR).
Possible penalties? Up to 20 million euros or 4% of a company’s annual global revenue of the previous year. This is a serious warning to U.S. companies – don’t mess with Fundamental European rights!
The General Data Protection Regulation and all its accompanying policies will be come into effect of May 25th, 2018. The GDPR will apply to all companies processing and collecting the personal data of EU citizens – irrespective of said company’s location.
Those who fail to adhere will find themselves in hot water, as sanctions related to the mishandling of data will be the most severe in the world related to the matter.
The GDPR will repeal and replace all local data protection regulations previously put into place by EU member states. This is in an effort to make personal data processing transparent with uniform rules that protect all EU citizens equally.
Why is there a new regulation?
With the failure of Safe Harbor in 2015, the earthquake caused by the Snowden revelations in early 2010, the WikiLeaks phenomenon, the increase of cyber-crime that is targeting personal data, etc., everyone can agree that on an international and local scale, data protection efforts have been completely unsuccessful in many ways, to say the least.
The GDPR is also being adopted in a specific context where data flow is substantially and continually increasing in volume and where technology in general is quickly evolving and globalizing. So if we admit the inefficiency of the EU member states’ previous data protection regulations it is obvious that new protections are required as more and more personal data is flowing around the internet. The objectives of the GDPR are to ensure the protection of the personal data of EU citizens (considered a fundamental right in the EU) as well as the free flow of data within the EU space.
Learn more about the new European regulation on personal data protection: watch our GDPR webinar replay
Should U.S. companies be concerned?
The GDPR will apply to U.S. based companies whether they are data processors or data controllers, in relation to the offering of goods and services (whether or not payments are involved) to data subjects in the EU or the monitoring of their behavior as far as their behavior takes place within the EU. To put things more simply, if a company that offers goods or services (whether or not they cost money) is either collecting or processing a European citizen’s personal data. the GDPR will apply no matter where the collection or processing is being performed. So all data collected and/or processed on EU citizens by any type of company offering a good or service falls under GDPR policy.
Which EU citizen rights should U.S. companies be concerned about?
According to many, the GDPR is not a revolution but an evolution. Let’s take a look at some of the rights that have been granted to EU citizens over time. These include:
- Right to Access (Rectification)
- Right to be Forgotten
- Right to Opposition or Limitation to Treatment
- Right of Portability of Personal Data
- Right to be Informed about the Processing of Personal Data
U.S. Companies must be prepared to respect the rights of EU citizens and respond to requests made by them.
What are the new Obligations and Requirements of the GDPR?
One of the key elements of the GDPR is the principle of accountability, this mainly refers to the various obligations a company needs to comply with in order to respect the GDPR. Even more important is that companies must able to demonstrate their compliance with the GDPR.
There is some guidance provided to show companies how to accomplish this. For example, companies should implement some protocols that demonstrate their compliance with the GDPR: this should include organizational and technical measures (such as privacy by default and by design) as well as security and technical measures to ensure the security of the personal data being processed.
Regarding obligations, they are all new and U.S. companies need to get familiar with them.
- PIA (Privacy Impact Assessments): companies need to evaluate the risk for individuals related to their personal data and take measures compliant with the GDPR. This can be accomplished by applying the principles of the privacy by design and by default as mentioned above. This first principle means that each new service or product that uses personal data needs to be designed with privacy and data security in mind, with privacy being protected throughout the life cycle of a project and the second means that the strictest privacy settings of a product should be applied for users automatically.
- Data breach notification: users need to be notified of a data breach within 72 hours after a company finds out that a breach has taken place. Companies should notify the Data Protection Authority as well as any individuals that are at high risk due their data being affected by the breach.
- The DPO (Data Protection Officer): companies will be required to have someone working as a DPO if they are processing personal data on a large scale and on a regular basis, this is mandatory for any organizations that are profiling an EU citizens behavior online.
- Records of processing activities: it will be mandatory for companies with more than 250 employees to keep records of data processing activities, if a company has under 250 employees it is still highly recommended.
If you need more details about how to ensure your company’s compliance with the GDPR, take a look at our free eBook and learn everything you need to know about the new EU regulations.
What are the Sanctions?
If being sanctioned, a U.S. company should know whether an individual consented to their personal data being processed as well as how the data has been collected – and for what purpose. Companies should also know whether or not they informed the individual of their rights, storage limitations, and if they can trace back the data. If a company cannot answer one or more of these questions they should be worried about the sanction process and its repercussions.
GDPR sanctions are the highest ever enforced by such a regulation, so don’t test the Europeans! Every former data protection authority that was already on the job will still be in place and will serve as the local enforcement authority for GDPR regulations. That means they will have the power to make mandatory orders and can impose significant fines for a wide range of breaches of the GDPR.
There are two levels of fines in the case of non-compliance:
1.) Up to 10 million euros or 2% of the offending company’s annual global revenue of the previous year.
2.) Up to 20 million euros or 4% of the offending company’s annual global revenue of the previous year.
These are serious sanctions and at both levels, the find is that results in the highest penalty will be imposed.
How to be Compliant?
Since last year, a large variety of suggestions for compliance processes online has been offered. We will join in on this trend and suggest a few actions here:
- First, inform your employees and train your team, implement a GDPR task force, evaluate your company’s situation, and assign a DPO if applicable.
- You need to perform data mapping and a Privacy Impact Assessment if necessary.
- Check all your contracts in which you are data processor or controller and check your supplier’s contracts as well! If your company is based in the US you should designate a representative in the EU country where the data is processed.
You should also ask yourself these questions:
- Do I have a notification process for breaches?
- Do I have a personal data policy?
- Do I know about the Privacy Shield?
If you answered yes to all of these questions you are in pretty good shape, just double check what obligations remain in order to be compliant with the GDPR and make sure everything is ready. If you answered no to these questions you are in a big trouble, but it is not too late to fix it. Good luck!
Learn more about the GDPR and prepare your business for the new personal data regulations.