GDPR: What You Need to Know for 2018

January 5, 2018
Compliance, Customer Service, Data Protection, Financial Services, IT Security, Manufacturing, Retail

GDPR: What You Need to Know for 2018

As if dealing with HIPAA, PCI, FISMA and the many other regulations and legislative acts wasn’t enough, now there’s the General Data Protection Regulation (GDPR). GDPR goes into effect May 2018, and is designed to protect the privacy of EU consumers and keep their data secure.

While the law applies to Europe, many US companies will be affected. If your organization does business with EU citizens that involves collecting or processing their personal data, it’s probably one of them. If that’s the case, you’re going to want to make sure your organization meets the compliance requirements. Failure to do so will be costly. If non-compliance is related to technical measures such as impact assessments or breach notifications, the fine may be up to an amount that is the greater of 10 million Euros or 2% of global annual turnover (revenue) from the prior year. In the case of non-compliance with key provisions of the GDPR, regulators the  fine can amount up to the greater of 20 million Euros or 4% of global annual turnover in the prior year.  

GDPR replaces the EU Data Protection Act of 1998, which placed responsibility for protecting the privacy rights of EU citizens only on data controllers and not on data processors. Under GDPR, both controllers and processors are now responsible.

Whether your company has one employee or a thousand doesn’t matter. Companies of all sizes are required to comply with GDPR if they collect or process data on EU citizens. Even if your company already complies with the EU-US Privacy Shield or with any existing data privacy and security regulations in the specific European nation in which it does business, that won’t negate its GDPR compliance requirements.

In addition, GDPR applies if you maintain a website that uses cookies, and can be accessed by EU citizens. The same holds true if you transfer data across borders.

GDPR “To-Do” Highlights

If you aren’t sure if or how GDPR will affect your business, or what you need to do to ensure compliance with the law, consult a compliance expert. Meanwhile, here are some the things that may be required of your organization. You will need to:

  • Understand whether your company is a data controller and determines the purposes and means of how customer data is to be processed, a data processor, which processes personal data on behalf of a data controller, or possibly both. The category your company falls under will determine its compliance requirements under GDPR.
  • Inform your EU-based staff of the GDPR rules and make sure that they are trained to handle customer data under the new guidelines.
  • Conduct a full audit to ensure you are aware of all the data you collect or use from EU citizens, where it came from, every entity it’s been shared with, and every location where you store it.
  • Make sure your business associates and their subcontractors, as well as any third-party service providers you use, are aware of their requirements under GDPR and meet them.
  • Designate a contact that will work with the GDPR supervisory, and possibly appoint a Data Protection Officer.
  • Develop consent and disclosure forms that cover all possible uses of data. Your customers must have the option of selecting those they agree with and declining those they don’t, and you will need to store their preferences in your databases.
  • Be able to detect, respond, and report any data breaches, and have policies in place to notify EU citizens of them within the timeframe and rules specified under GDPR.
  • Ensure your data retention policies meet the GDPR’s maximum time limit for the storage of data on EU citizens.

Beyond Compliance 

Although GDPR goes into effect in just a few months, there’s still time to get ready. Like most compliance activities, this one may be time-consuming. However, the investment in time and resources will do more than help you meet the GDPR compliance requirements. It will also strengthen your overall IT security posture, and help distinguish your company’s value proposition from that of its competitors.