What Is GDPR?

GDPR, or General Data Protection Regulation, is a regulation requiring businesses to ensure the protection of the personal privacy and data of European Union (EU) citizens in transactions that occur in EU countries. GDPR is meant to unify and strengthen data protection for citizens of the EU while at the same time addressing the export of their personal data outside of the EU. It is expected to set a new standard for consumer rights concerning their data, though companies will be challenged to comply.

One of the key features of the GDPR is that it gives regulatory teeth to longstanding government guidance concerning the handling of consumers’ personal information. The strength of this regulation is unprecedented, and companies will have to show the most stringent levels of data protection to remain in compliance, lest they incur great fines. GDPR goes into effect May 25th, 2018.

What Companies Does GDPR Affect?

All companies that store or process the personal information of EU citizens in EU states must be in compliance with the GDPR, regardless of their physical business presence in the EU. Specifically, a company will have to be GDPR compliant if:

  • They have a business presence in the EU.
  • They process the personal data of EU citizens living in the EU.
  • They have more than 250 employees.
  • They have less than 250 employees, but their data processing effects the freedoms and rights of EU citizens living in the EU on a regular basis or includes particular types of personal data.

This last item means that almost all companies will have to be GDPR compliant. A survey by PwC shows that 92 percent of US businesses consider GDPR compliance a top priority. The choice then for US companies is to either ensure they are compliant or block EU users from using their business.

How Can A Company Prepare for GDPR?

The following steps can be taken to prepare your company for GDPR requirements:

  • Integrate your marketing and IT departments. With the rise of cybercrime and the greater need for specific implementation and monitoring strategies, your IT department is more important than ever. Because GDPR regulations directly affect the marketing tool of data collection, having marketing work alongside IT will be helpful to both divisions.
  • Appoint a Data Protection Officer (DPO). Liability for GDPR compliance is assigned to data controllers and processors, and smaller operations are not required to hire a DPO, but doing so should be considered, nonetheless. The cost of being found non-compliant with GDPR regulations could far outweigh the cost of having a DPO on staff.
  • Audit your current security systems. GDPR compliance can best be achieved by having a thorough evaluation of current data security undertaken. If any high-risk areas are found, you can fix them before GDPR enforcement begins.
  • Educate your employees. Even though most responsibility for GDPR compliance will be with your security division, any employee who handles consumer data should know about GDPR. This would include those who interact with new customers, maintain CRM systems, or do data entry.
  • Work with GDPR compliant third-parties. These would include your CRM service, email service provider, and PR and marketing agencies. Under GDPR, you can be considered liable for security breaches that come through third-parties you work with, so it is important to make sure every aspect of your data processing is compliant.

How Can A Company Comply with GDPR?

Since Safe Harbor protections no longer apply, U.S. companies that handle and export personal data from EU citizens must be in compliance with GDPR or face heavy fines. If a data breach occurs in your company, you may be subject to fines of up to 4% of total profits for the previous year or €20 million.

However, if you can prove that the breach occurred in spite of proper security measures being taken, the likelihood of being fined will be reduced.

Proper security measures include, but are not limited to:

  • Servers being protected by application, database, file, and full disk virtual machine encryption.
  • Storage being protected by storage area network and network-attached storage encryption.
  • Media being protected by disk encryption.
  • Networks being protected by high-speed network encryption.
  • Strong key management being used to secure encrypted data.
  • Deleting user’s files and information to comply with the user’s right to be forgotten, as proscribed by the GDPR.
  • Having a way to ensure the identity of users and the legitimacy of their transactions.

It is also important that these and other security controls be auditable and demonstrable; otherwise, compliance with the GDPR cannot be verified.

If you need help further understanding GDPR, you can post your legal need on UpCounsel’s marketplace. UpCounsel accepts only the top 5 percent of lawyers. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale and average 14 years of legal experience, including work with or on behalf of companies like Google, Menlo Ventures, and Airbnb.

Interested in learning more about GDPR compliance?

Download UpCounsel's free GDPR Compliance Whitepaper and learn the tools you need to put your company on the path to compliance. Included is a list of 10 practical steps to help organize efforts on GDPR, develop a compliance plan, and mitigate risk.