GDPR requirements are EU regulations requiring businesses to protect privacy and personal data of those who are EU citizens with respect to transactions occurring within the various EU member states. Non-compliance with GDPR can cost companies seriously.

Under those rules, companies who collect data concerning EU citizens in EU countries must comply with tough new rules that protect customer data. Implementation is no later than May 25.

Experts believe that GDPR will create a new standard for EU consumer rights in respect of their data. It will, however, be a challenge for companies to implement and comply.

Purpose

The EU Commission proposed GDPR to strengthen and create unified protections for those within the EU while also protecting the export of a person’s personal beyond the EU.

Compliance Concerns

Compliance with GDPR will likely cause concerns for security teams. As an example, GDPR takes a broad view of the definition of a person’s identification information. Corporations and other companies must provide the same, consistent level of protection for items such as a person’s IP address and cookie data as the company would for names, a person’s address, and his or her Social Security number.

Reasonable

The GDPR laws have some gray area. Under the GDPR, a company is obligated to provide a “reasonable” level of protection with respect to personal data. However, it is unclear how to define “reasonable” in this context. As a result, the GDPR governing body has much leeway when assessing fines for breaches and other non-compliance.

History and Implementation

The EU Parliament officially adopted the tenants of the GDPR in April of 2016. It replaced the outdated 1995 data protection directive.

The GDPR provisions are consistent among all the 28 EU member states. This means that all EU companies have only one standard within the EU. Note, however, that this standard is high and requires most companies to invest significantly so it can meet and administer GDPR requirements.

Based on an Ovum report, approximately two-thirds of American companies believe that these new GDPR requirements will compel them to rethink how they do business in Europe. 85 percent of these American companies believe that GDPR will put them at a distinct competitive disadvantage with European counterparts.

Compliance Deadline

For companies, the compliance deadline is May 25, 2018.

The initial announcement for finalizing the GDPR was announced in December 2015. That was followed by a vote in the EU parliament, which set the deadline for GDPR compliance as of May 2018. The requirements and the amount of internal collaboration necessary to be compliant necessitates that businesses address compliance guidelines now.

Companies Affected by GDPR

A company that stores or processes personal data about EU citizens and is located in the EU has GDPR compliance requirements. This is applicable to all EU companies, regardless whether they have an EU presence.

Specifically, the following criteria apply to companies that would fall under GDPR regulation:

  • Having a presence in an EU country.
  • Not having a presence in an EU country but processes personal data of EU residents.
  • A company with over 250 employees.
  • A company with 250 or fewer employees but has significant data-processing impact, such as processing sensitive personal data. In reality, this applies to almost all companies.
  • U.S. companies involved in processing personal information data of EU residents must also comply or risk fines.

Who Is Responsible for Complying with GDPR?

Under the GDPR, people with the following roles have responsibility:

Data controller

  • The data controller’s job is to define how such data is processed and why that data should be processed.
  • The data controller also makes sure that contractors comply with GDPR.

Data processor

  • Data processors can be an internal group or groups that maintain and process personal records.
  • This also includes any outsourcing firm performing this function.

Data protection officer

The GDPR will hold data processors liable for any breach or non-compliance with the regulations.

If you need help with understanding GDPR regulations, bringing your business compliant with the regulations, or would just like some basic information about GDPR, you can post your legal need on UpCounsel’s marketplace. UpCounsel accepts only the top 5 percent of lawyers to its site. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale Law and average 14 years of legal experience, including work with or on behalf of companies like Google, Stripe, and Twilio.

Interested in learning more about GDPR compliance?

Download UpCounsel's free GDPR Compliance Whitepaper and learn the tools you need to put your company on the path to compliance. Included is a list of 10 practical steps to help organize efforts on GDPR, develop a compliance plan, and mitigate risk.