GDPR Compliance: Everything You Need to Know
GDPR (General Data Protection Regulation) compliance is vital for any company that specialize in data collection and non-compliance could result in hefty fines.4 min read
GDPR compliance is vital for any company that specialize in data collection, and non-compliance could result in hefty fines. The GDPR stands for General Data Protection Regulation and was issued by the European commission to enhance the security of citizens living within the EU. In addition, the regulation also deals with data that’s exported outside of the EU.
GDPR regulates that all businesses and organizations protect the privacy and personal data of all EU citizens on any transaction within any EU member state. Companies that collect EU data will need to comply with the new rules by May 25.
The new measures pose some issues for security firms. For instance, the GDPR has a wider view on what’s designated as personal information. Companies need the same amount of protection for cookie data or individual IP addresses in the same way as social security numbers, addresses, or names.
Another issue is that GDPR is widely open to interpretation. For instance, it states that a company must provide a reasonable amount of personal data protection, but the regulation does not specifically identify what constitutes as reasonable. In addition, it gives authorities a great amount of room in imposing fines for non-compliance and data breaches.
The European Parliament passed GDPR in April of 2016, which replaced a 1995 data protection directive. The new provisions are the same throughout all 28 of the EU states, meaning that organizations and companies must adhere to one standard in the EU. However, the new standard is a high one, and the new guidelines force companies to make large investments and set up a large administrative apparatus to govern data.
According to information from an Ovum report, two-thirds of U.S. companies think the GDPR will force them to rethink a new strategy when it comes to dealing in Europe. In addition, 85 percent believe the GDPR forces them into a competitive disadvantage compared to European companies.
All companies that store or process personal information about citizens within the EU should comply with GDPR, even if they do not intend to do business in the EU. Specific areas include:
- Establishment in an EU nation
- No EU presence, but processes the data of EU citizens
- Has over 250 employees
- Less than 250 employees but data processing affects freedoms and rights of data subjects, which means most companies
A PwC survey revealed that 92 percent of U.S. businesses consider GDPR a primary priority when it comes to data protection.
GDPR designates various job roles to ensure compliance:
- Data processor
- Data controller
- Data protection officer (DPO)
A data processor manages how the data is processed and the purpose of the data. Data processors may also be internal groups that process and maintain data records, including outsourcing firms that perform any of these activities. A controller ensures that all outside contractors comply with the rules.
GDPR holds all processors personally liable for any non-compliance or breaches. With that, your company and processing authorities in the form of a cloud provider could be held accountable for any penalties, even if that fault lies entirely with the processing partner.
Moreover, GDPR places the same liability on data controllers, including processors and third-party entities that manage data. Any third-party groups that violate regulations means that your organization is out of compliance.
This also means that all previous agreements with processors in the form of SaaS vendors, cloud managers, or payroll providers need to detail their duties and designated roles. Contracts would need to be amended and would need to outline how the process and data flow would be protected and managed, and in what manner breaches need to be reported.
GDPR mandates that processors and controllers label a DPO to manage all data security strategies and GDPR conformity. Further, companies need to hire a DPO if:
- They store large amounts of EU data, including processing
- They process specialized personal data
- They monitor EU citizens
Other public entities such as law enforcement could be exempt from a DPO mandate. Also, the new measures must also inform customers of their data rights under the GDPR. Additionally, the new measures have strict rules regarding the reporting of data breaches.
To learn more about GDPR compliance, submit your legal inquiry to our UpCounsel marketplace. UpCounsel’s attorneys will help your organization conform to the new guidelines regarding data security and what you can do to remain competitive if you are a U.S. company. In addition, we will guide you through potential data breaches, and they will be at your side if you find yourself under EU scrutiny.
Interested in learning more about GDPR compliance?
Download UpCounsel's free GDPR Compliance Whitepaper and learn the tools you need to put your company on the path to compliance. Included is a list of 10 practical steps to help organize efforts on GDPR, develop a compliance plan, and mitigate risk.