The European General Data Protection Regulation (GDPR), a form of data privacy regulation that was agreed upon by the European Parliament and Council in April 2016, will come into effect and replace the existing Data Protection Directive 95/46/EC this year on May 25.
The aim of the European data protection regulation is to “protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.” The regulation, which outlines rules for how the personal data of data subjects are handled by businesses and moves freely in and out of Europe, seeks to standardize previously inconsistent processes that varied from country to country. The regulation was instigated by the alarming rate of increases in data breaches and cyber crimes.
Understandably, you may be wondering or concerned about what these regulatory changes will mean for your U.S. business or organization. Below, I will highlight some of the key changes and have put together a GDPR compliance checklist to help ensure your business is ready by the May deadline.
GDPR Change Highlights
While many of the key principles of the existing legislation will remain the same, there also will be some noteworthy changes to the regulatory policies that have been outlined on the regulation’s official website. I’ve outlined a few of those changes below.
Expanding Regulatory Reach
By and far, the most significant change to the data privacy regulation comes in the form of the GDPR’s increased jurisdiction. Unlike its predecessor, the new legislation applies to “all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.”
What is Considered Personal Data
The GDPR aims to protect a wider variety of personal data, including personally identifiable information (PII) such as:
- Identity data (name, personal ID number, and address)
- Biometric data (retinal scans, fingerprints, etc.)
- Racial or ethnic data
- Health and genetic data
- Sexual orientation
- Political preferences and opinions
- Web data (IP address, location, RFID tags, and data from cookies)
In what is good news for your data subjects (such as consumers), the new General Data Protection Regulation strengthens the conditions for giving consent. Consent must be “clear and distinguishable” from other information and be written in “clear and plain language.”
GDPR Fines and Penalties
According to the official website, any organization that isn’t in compliance with this new legislation will face heavy GDPR penalties. The EU GDPR outlines a tiered approach to enforcing infringements, meaning that “organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).”
How Will GDPR Requirements Affect Me?
For companies based in the U.S. that work with EU member states, the GDPR requirements will require changes to how they process, store, and protect customers’ personal data. Because these rules apply to both processors and controllers whose services operate in the EU member state areas, this means that cloud software-as-a-service (SaaS) companies in the U.S. that conduct business in those areas will not be exempt from GDPR enforcement.
GDPR Compliance Checklist
We’ve put together a 5-step GDPR compliance checklist to help you begin assessing whether your organization’s policies and procedures are in alignment with the new regulation.
- GDPR Compliance Awareness
As a leader within your organization, it’s important to ensure that all decision makers and key personnel are aware of the GDPR requirements and the impact of non-compliance.
- Identify key stakeholders within your organization to support GDPR compliance
- Determine whether one or more data protection officers (DPO) should be appointed
- Outline a reporting system within that GDPR compliance governance structure that would include the DPO (if applicable)
- Implement a GDPR compliance training program to ensure data protection is covered and employees are informed about policies and procedures
- Personal Data Audit
In order to understand what personal data you hold, it’s important to document the types of data your company possesses, where it came from, whom it’s shared with, and how it’s shared.
- Review how all forms of personal data (employee, consumer, and other) are collected and handled, and for what purpose, by Human Resources and other personnel
- Review how your company monitors employees (CCTV, electronic communications, and internet usage)
- Assess how data is shared with other companies or controllers (safeguards and liability)
- Review and Update Internal Policies and Procedures
The documented policies and procedures of your organization are the rules that help to ensure your employees follow ethical, compliant and standardized practices.
- Review your company policies to ensure they are compliant with the GDPR
- Make changes as necessary to ensure the collection, processing, use, and storage of data are in alignment with the new GDPR requirements
- Ensure access to personal data is restricted to only necessary personnel
- Assess response policies for data breaches and information security
- Document any lawful basis for your business’s practices of processing personal data
- Protecting Data Subjects’ Rights
Review your company’s procedures to ensure that they are compliant with the new GDPR requirements regarding EU citizens’ privacy.
- Right to access: Data subjects will now be able to obtain confirmation from the data controller about whether their personal data is being processed, by whom, and for what purpose. They also will be able to receive a free copy of said data in an electronic format.
- Right to be forgotten (data erasure): Data subjects now will have the right to erase their personal data and half any further dissemination of said information when they withdraw consent or the data is no longer being used for its original purpose.
- Right to be informed: Within 72 hours of becoming aware of any data breaches, all member states will now be required to notify all data subjects of any breaches that may “result in a risk for the rights and freedoms of individuals.”
- Review Consent Policies and Practices
What this means for you is that businesses no longer can use the terms and conditions forms that are seemingly endless pages of “legalese.”
- Review consent policies to ensure consent is easy to give and withdraw
- Ensure that consent forms are easy to read
How FPA Can Help to Prepare Your Business
While these new GDPR requirements are a significant step in the right direction for protecting consumers’ rights and personal data, it also means significant changes to how your business may approach the collection, use, storage, and sharing of information. This complex and far-reaching legislation will affect your business beyond simply data governance and information security concerns, and its impact will soon be felt at all levels of your organization.
Don’t simply view handling these regulatory changes as a threat; instead, view this task as an opportunity to enhance your organization and update its IT security, privacy, and data practices. And, the good news is that FPA is here to help you every step of the way. Regardless of whether your business is now just preparing for the regulation changes or is already part way through the process, our GDPR assessment can help you to assess the aforementioned areas of concern (and others) within your organization. We will work with your main GDPR stakeholders to ensure your business is compliant.
How will you prepare your business for the new GDPR Compliance? Reach out today or comment below to speak with me about how we can work together to prepare your business for the GDPR rollout in just a few months.