Note: This is the first of an ongoing series on GDPR. We’ll be preparing you all the way to May 2018 on topics like: Privacy Protection and Breach Notification, GDPR Compliance Strategies, GDPR Enforcement and Penalities, Potential GDPR Costs, GDPR Auditing and more. Subscribe using the button on the right and you’ll be updated when we post a new article.
The date for compliance with the European Union’s (EU) General Data Protection Requirement (GDPR) – 25 May 2018 – is quickly approaching. It’s urgent that companies and organizations come to understand how it affects them now and into the future.
One of the first things to understand is whether this regulation is even applicable to your organization. If it is determined to be applicable, organizations will need to understand what is required of them for compliance. Organizations will also need to understand the process for interaction between the roles and reporting data breaches within the specified timeline for reporting.
Understanding whether or not your organization is effected by GDPR is an initial starting point. Criteria that help determine if an organization must comply are:
- A presence in a EU country
- No presence within the EU, but processes personal data of European residents
- More than 250 employees
- Fewer than 250 employees, but data processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal information.
As companies have transitioned to a global marketplace many are quite possibly storing and processing personal information of EU citizens and thus most companies would likely fall into the category of having to comply with GDPR.
The GDPR establishes many roles for oversight, enforcement, and roles within organizations. Each Member State of the EU will be required to create a Supervisory Authority (SA). The SA will have the support of the law to enforce the compliance and penalties for non-compliance or data breaches. Roles required within businesses include Controller and/or Processors. A Controller determines the purposes and means of the processing of personal data. A Processor processes personal data on behalf of the controller. The GDPR also requires the Controller and Processor to designate a Data Protection Officer (DPO) to oversee the data security strategy and GDPR compliance.
One of the more challenging requirements to meet is in regard to timelines of reporting data breaches. Organizations are required to report to Supervisory Authorities and the individuals affected within 72 hours of when the breach is detected. Currently companies can take up to a couple months to investigate and determine the overall impact of who was affected by a data breach which moving forward will no longer be acceptable. It can be presumed that any situations such as what Uber just recently went through could be met with the highest penalties. Companies will not be able to cover up data breaches without being heavily penalized…at least not as it pertains to citizens of the EU covered by protections afforded within the GDPR.
As companies move forward, GDPR will demand U.S. companies understand and quite possibly change how they store, process, and protect personal data. An example would be that companies can only store personal data when given consent and could only keep data as long as necessary. Companies need to make that determination on whether GDPR applies to them. If it does they will need to act fast to comply or face stiff penalties. Understanding exposure, how to mitigate risk, and what it will take to meet the 72-hour reporting Requirements associated with protection of personal data will be paramount to business success going forward.