A Holistic Guide to General Data Protection Regulation (GDPR)
Companies collecting data of the European Union (EU) citizens should comply with the new GDPR regulations by May 25, 2018!
Businesses that gather the data of citizens of the countries that are a part of the European Union (EU) should comply with the stringent new regulations - EU GDPR. With a constant rise in the number of customer data breaches, the European government has come up with the EU General Data Protection Regulation (GDPR).
New General Data Protection Regulation is an important regulation that businesses worldwide are expected to follow to safeguard the privacy and personal data of the EU citizens for all the transactions, which occur within the EU member states. As non-compliance with this regulation could result in penalties, here's what every European company that handles customer data needs to know about General Data Protection Regulation.
What is General Data Protection Regulation?
One of the most frequent questions striking businesses is "what is GDPR?" GDPR is a regulation adopted by the European Parliament in the April of 2016 to replace outdated data protection directives from 1995. It requires the businesses to safeguard the confidential data of the EU citizens for all the transactions that take place within the EU member states. As the security standard of this rule is quite high, it requires the businesses to make huge investments to successfully implement and abide by its standards. Besides, GDPR is also aimed to regulate personal data exportation outside EU.
Which Companies are Likely to Get Affected by GDPR?
Any organization that gathers, processes, or handles personal information of the EU citizens should abide by the guidelines of GDPR. Although they do not have a presence in the EU, companies worldwide who handle EU customer data are expected to comply with this regulation. Following are some of the specific criteria which qualify companies to follow and implement General Data Protection Regulation -
- Presence in any of the EU countries
- Not present in an EU country but process personal data of the EU citizens
- Have over 250 employees
- Have lesser than 250 resources, but are actively handling some sort of sensitive personal data, their data processing impacts freedom and rights of data subjects, and/or is not occasional
Who Will Be Responsible for GDPR Compliance Within the Company?
GDPR holds the data processors liable for any kind of non-compliance or breach. So, it is possible that both the organization as well as the data processing partner like the cloud provider will have to bear the penalties, even if the processing partner is solely responsible for the fault. However, following are some of the roles that General data Protection Regulation defines liable to ensure compliance -
- Data Processor - who processes the personal data of the customers
- Data Controller - who defines how the personal data has to be processed and the purpose for which the data is being processed
- Data Protection Officer (DPO) - often ensures that even the outside contractors comply with the General Data Protection Regulation guidelines
GDPR requires a DPO to be designated to ensure GDPR compliance and data security strategy. So, the General Data Protection Regulation requires companies to appoint a DPO if they store or process huge amounts of special personal data of the European citizens. However, some of the public entities like law enforcement can be exempted from appointing a DPO.
What Would be the Cost of a GDPR Preparation to a Company?
Approximately 68% of the US-based companies are expected to invest somewhere between $1 million and $10 million to comply with the General Data Protection Regulation guidelines. However, another 9% are expected to invest over $10 million.
What Happens When a Company Does Not Meet GDPR Requirements?
GDPR imposes steep penalties when companies fail to abide by its guidelines. The fine could either be 4% of the global annual turnover of the firm or up to €20 million, whichever is higher. If an organization fails to comply with the General Data Protection Regulation guidelines by 25 May 2018, then the companies will have to bare the penalties for non-compliance.
What Sort of Personal Data Will GDPR Safeguard?
All types of private and confidential information of the European citizens including the identification information and other health-related information is safeguarded by the General Data Protection Regulation. However, following a set of data is protected by this regulation -
- Basic identification information, including the name, address, and the ID numbers
- Sexual orientation
- Political opinions
- Health and other genetic data
- Web data which include the system location, cookie data, RFID tags, and IP address
- Racial or ethnic data
- Biometric data
Are there Any Specific GDPR Requirements that Affect a Company?
The GDPR requirements are expected to cause the US companies to modify the way in which they store, protect, process, or handle the personal data. For instance, the companies can process and store the personal data only until the individual's consent or till the purpose for processing the personal data is served. Besides, the personal data should be portable from one firm to another and the firms should erase it upon request.
Another major challenge is that organizations should immediately report any sort of data breach to the supervisory authorities. Besides, the customers affected by the breach should also be informed within 72 hours of detecting the breach. Consequently, companies should provide a considerable level of personal data protection to the EU citizens.
What Does a Successful GDPR Implementation Look Like?
As most of the companies will already have a certain set of data security guidelines in place to protect the privacy and confidential data of their customers, keeping up with the General Data Protection Regulation guidelines should not be a major leap. Besides, involving privacy professionals or lawyers ensures that the guidelines are completely followed.
There are numerous ways of implementing General Data Protection Regulation based on the type of the business and the tools that are there in place. Organizations can assess it and once the assessment is completed, they can define the steps to implement General Data Protection Regulation and document the same. Documenting how a company is planning to become compliant with the General Data Protection Regulation is extremely important and hence documentation will be the key.
How Can a Company Get Prepared for Becoming GDPR Compliant?
With General Data Protection Regulation becoming mandatory by 25th May 2018, the best way for the companies to get started is to instill a sense of urgency from the top management and stress on executive leadership for prioritizing cyber preparedness. Being compliant with the guidelines of global data hygiene standards can also be a part of cyber preparedness. Following are some of the major steps to gear up and become General Data Protection Regulation compliant -
- Involving all the stakeholders
- Conducting a risk assessment
- Hiring and appointing a competent DPO
- Coming up with a suitable data protection plan
- Having a plan in place to track and report the progress in your GDPR compliance
- Implementing the best possible data security risk mitigating measures
- Testing the incident response plans
- Having a process for constant assessment
Abiding by the General Data Protection Regulation guidelines can prove to be a huge competitive advantage, as compliance will certainly boost the customers' confidence in your organization. In addition, the process and technical improvements necessary to comply with the GDPR will also contribute towards enhancing efficiencies in how businesses secure and manage confidential data.
Get in touch with Outsource2india to know more.