If you do business in the European Union (EU) or gather information from or about EU residents, then you may need to comply with the EU’s General Data Protection Regulation (GDPR), or you could face significant fines.
What is the GDPR?
The GDPR is an extensive new data protection framework that comes into effect on May 25, 2018. The GDPR is far-reaching not only in its protections of personal data, but also in its territorial effect. Any organization that offers goods or services to, or monitors the behavior of, EU residents may be subject to the GDPR.
What does this mean to you?
The GDPR regulates processing of EU residents’ personal data. “Personal data” is defined in the GDPR as anything relating to an identified or identifiable individual person. Personal data includes a person’s name, email, location data, online identifiers, and ID numbers. The “processing” of personal data broadly includes any operation that can be carried out on or with data. It includes collection, recording, organization, structuring, storing, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, and erasure or destruction of data.
Because these definitions are so expansive, if your business receives or stores any information about EU residents, you may need to comply with the GDPR.
What is required under the GDPR?
Entities subject to the GDPR must adhere to its requirements when processing personal data from EU residents. Specific requirements depend on what personal data you process, how you process it, and whether you are a data controller (the party that determines the purposes for which, and the way in which, personal data are processed) or a data processor (the party that processes personal data on behalf of the data controller).
The following are some of the requirements of the GDPR:
- A subject business must implement measures to mitigate risks inherent in the processing of data. The degree of effort invested in a particular security measure must be based on the risk present in a particular setting or application. For example, a business processing the personal data of thousands of EU data subjects is expected to implement stronger security measures to protect such data than a business processing data for only a handful of data subjects.
- A subject business must observe the rights the GDPR grants to data subjects, such as the “right to be forgotten.” This means that a business must have policies and procedures in place to ensure a data subject’s personal data are erased from all its systems.
- Breach notification is mandatory in all member states when a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Notice must be given within 72 hours of first awareness of the breach. Data processors will also be required to notify both their customers and their controllers, “without undue delay,” after first awareness of a data breach.
What happens if your business does not comply?
Failure to comply with the GDPR could result in significant fines for each breach: from the greater of 10 million Euros (approximately $11,650,000.00) or 2% of annual worldwide turnover (which is annual sales volume net of all discounts and sales taxes), to the greater of 20 million Euros (approximately $23,300,000.00) or 4% of annual worldwide turnover, depending on the impact of the breach.