tiero - Fotolia
With just less than a year to go until the European Union's General Data Protection Regulation goes into effect, companies need to assess their obligations to be GDPR compliant. Although organizations located outside of the European Union might not give a second thought to EU regulations, the GDPR will affect nearly every organization that does business online, regardless of its geographic location.
Like any set of government regulations, the actual requirements set forth by the GDPR are both complex and extensive. Although this article provides basic information about the regulation, it should not be treated as legal advice, nor should it serve as a guide to achieving regulatory compliance, as it only covers some of the key points of the regulation.
What is the General Data Protection Regulation?
The GDPR is designed to protect the privacy of EU residents. The regulation applies to organizations that collect and process data located in the European Union.
While this part of the regulation likely isn't enough to give foreign nationals cause for concern, there is one particular aspect of the regulation that makes it much more far-reaching than it would otherwise be: The GDPR applies to any organization, anywhere in the world, that collects data on citizens of the EU. As such, even a small, web-based business located on a different continent would have to be GDPR compliant.
The EU is imposing stiff penalties on organizations that have collected data on EU citizens, but failed to comply with the GDPR. According to some sites, data collection could consist of something as simple as requiring an EU citizen to provide his or her name.
Penalties for noncompliance can be up to €20 million, or up to 4% of the previous fiscal year's worldwide turnover, depending on which is larger. It remains to be seen, however, whether the EU will be able to muster the authority to collect from noncompliant organizations located outside of the union.
Organizations that must be GDPR compliant should take the time to visit the European Union's GDPR website to familiarize themselves with the requirements and penalties imposed by the regulation. Companies should visit the site on a periodic basis until all aspects of the regulation have been finalized.
GDPR compliance actions
For organizations that do business with or collect data on citizens of the European Union, there are three potential courses of action:
- Stop all business activities related to the EU.
- Find a way to do business without actually collecting any data.
- Work toward compliance with the regulations.
Some of these options will be unacceptable. For example, a large enterprise would almost certainly choose compliance over ceasing to do business with EU customers. Conversely, small shops will likely find doing business in the EU to be cost-prohibitive, especially given GDPR requirements such as hiring or appointing a data protection officer.
Organizations that choose to be GDPR compliant will have several key responsibilities.
- They must notify anyone whose data is collected. The notification must be written in a clear and concise manner, and it must specify the retention term for the data.
- Data protection measures must be built into an organization's business processes to ensure data is protected at every level of the organization. This requirement is known as privacy by design and by default.
- Those subject to the regulation must prove they are compliant. This is true even if the organization outsources its data processing to a third-party processor, such as a cloud provider.
- GDPR-compliant organizations must provide their contact information to anyone whose data is collected and inform them that they have the right to refute decisions affecting them that are based solely on the use of an algorithm. For example, the regulation would give an EU citizen the right to challenge his or her credit score.
A guide to the GDPR compliance law coming in 2018
Ten things to know about GDPR: Key areas on compliance
Compliance with GDPR also affecting U.S. organizations