The General Data Protection Regulation (GDPR) will be coming into effect in the first half of 2018, and any companies that do business in the European market need to be in compliance with the regulations surrounding data and personal information before the deadline or face significant repercussions.
What Is General Data Protection Regulation (GDPR)?
GDPR refers to legislation enacted jointly by the European Parliament, the Council of the European Union (EU) and the European Commission. The goal of this regulation is to increase data security as well as strengthen and unify data protection protocols for all people living in or doing business in EU countries. Unlike previous data protection legislation, this regulation applies to any business with a presence in the EU, not just companies that are based in the EU. GDPR applies even if the data processing company, such as a cloud storage company, is based in an EU country. GDPR becomes effective on May 28, 2018.
The goal of GDPR is to give EU residents back a large measure of control over their sensitive, personal information and how that information is being used. It also seeks to unify how each country within the EU is regulating the use of personal information and thus make it easier for companies who do business in multiple EU countries to ensure compliance.
How GDPR Applies to US Businesses Doing Business in the European Union
For companies collecting data from EU citizens (whether or not they are based in the EU), GDPR means ramping up their company’s data collection systems, improving accountability, and in most cases, hiring or promoting a data control officer, whose primary responsibility is ensuring that the company’s proper data collection protocols are followed. Ignorance of the provisions of the regulation is not a valid excuse under GDPR, and companies face strict financial penalties for noncompliance.
What Are the Requirements of GDPR?
GDPR defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” The regulation applies only to data collection for private sector enterprises and some court of government agencies. It does not attempt to regulate national security or law enforcement agencies.
The key provisions of GDPR include:
- Every company or entity is required have a data control officer, who accepts responsibility for acquiring, storing, deleting and processing personal data. Data security must be among this person’s primary duties.
- Under the regulation, personal data may only be collected if the subject (or his or her legal representative) has given consent.
- Such data can only be acquired when necessary to complete a contract to which the subject is party, when necessary to meet legal requirements, when necessary to protect the vital interests of the party, when necessary to perform the legitimate interests of the company as long as the rights of the party are not compromised, and when necessary for carrying out a task in the public interest.
- Consent to data collection for children must be given by the child’s parent or guardian, and the company must be able to show a record of this consent.
- Companies must encrypt the data they collect in such a way that it cannot be readily tied to the subject should the data be compromised
- Data control officers must notify the GDPR Supervisory Authority in a timely manner in the event of a data breach.
- Companies must submit to periodic random data audits to ensure that they are in compliance.
What Are the GDPR Deadlines?
GDPR was first proposed in January, 2012. The final version of the regulation was enacted on April 15, 2016. The regulation goes into effect (and becomes enforceable) on May 25, 2018.
What Are the Penalties If You Don’t Comply?
Failure to comply with GDPR can bring stiff and potentially crippling penalties to companies, whether or not they willfully ignored the regulation. For the first, unintentional offense, a company will be given a written warning. However, intentional violations and/or second or subsequent offenses carry financial penalties of up to €20,000,000 or 4 percent of annual worldwide sales, depending on the offense. Clearly, this is not legislation that any company can afford to ignore.
How an IT Company Can Help
One good way to ensure that your company is prepared for the GDPR deadline and to make sure that you continue to meet the regulation’s guidelines is to enlist the assistance of a good IT consulting company like Sysarc. We are intimately familiar with the provision of GDPR and can help you set up systems that will make compliance seamless without disrupting your key business activities.
Making sure that your company is ready for GDPR doesn’t have to be complicated or take up a lot of your valuable time and resources. To learn more about how a quality IT company like Sysarc can help you and your staff meet all of the GDPR regulations, contact us today.