Ready or Not: GDPR Goes Live May 25

May 3, 2018
Cloud, Compliance, Data Protection

Part of the EU Flag GDPR

In the last couple of years, there’s been a lot of talk—and confusion—about the General Data Protection Regulation (GDPR). What is it? Who does it affect? What do I need to do?

With the May 25 date for the GDPR’s implementation fast approaching, it’s time to move past the talk, clear up the confusion, and take action if necessary. If your company collects data on citizens in European Union (EU) countries, here’s what you need to know and do.

What is the GDPR?

Adopted by the European Parliament in April 2016, the GDPR is a regulation on data protection and privacy for all individuals within the EU. Its purpose is to empower EU citizens and residents with control over their personal data.

It’s also meant to simplify the regulatory environment for international business by unifying the regulation within the EU. The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU.

How do I know if my company must comply to GDPR?

If your company stores or processes the personal data of EU citizens within EU states, it must comply with the GDPR. Here’s a brief overview of the specific criteria for compliance:

  • A presence in an EU country
  • No presence in the EU, but the company processes personal data of European residents.
  • More than 250 employees.
  • Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.

Why is the GDPR Needed?

Data privacy is a significant and growing concern worldwide. According to the RSA Data Privacy & Security Report, 80% of consumers surveyed in France, Germany, Italy, the UK and the U.S. cited lost or stolen financial data as a top concern.

The RSA report also noted that 62% of the survey participants said they wouldn’t blame a hacker if their data was lost in a breach; they’d blame the company that had their data. They also wouldn’t be very forgiving of any company that allowed their data to be exposed, with 72% of US respondents saying they would boycott a company that didn’t take care of their data’s security.

What types of privacy data does the GDPR protect?

The GDPR covers a broad range of data. That includes basic identity information such as name, address and ID numbers, health and genetic data, biometric data, racial and ethic data, sexual orientation, and political opinions. It also protects web data such as location, IP address, cookie data and RFID tags. 

What are some of the most important things I need to know about GDPR?

A major focus of GDPR is on consent. If your company is subject to GDPR, it can’t use vague or confusing statements to get someone to agree to give your company their data. Nor can your company bundle consent for different things together. In addition, consent must also be easy to withdraw. For children under 16, a person holding "parental responsibility" must opt-in for data collection on their behalf.

Another rule within the GDPR makes it mandatory for companies to notify their data protection authority about a data breach within 72 hours of becoming aware of it. The processor of the data will need to notify customers "without undue delay" after learning of the breach.

Also important to note is that under GDPR, consumers must be able to access their personal data being stored by companies and find out where and how it’s being used. They can also request that whoever is controlling their data erase it and stop third parties processing it.  

Who is responsible for making sure my company is complying?

The GDPR defines roles for compliance responsibility: data controllers, data processors, and data protection officers. The data controller defines how the data is processed and why. The controller also is responsible for making sure outside contractors comply.

Data processors may be the internal groups that maintain and process personal data records or any third-party company that performs all or some of those activities. The GDPR holds processors liable for breaches and non-compliance. That means both your company and a partner company, such as a cloud provider, would be subject to non-compliance  penalties even if your partner is the one at fault.

The GDPR requires the controller and the processor to designate a data protection officer to oversee data security strategy and GDPR compliance. Companies are required to have a data protection officer if they process or store the data of EU citizens, process or store special personal data, regularly monitor data subjects, or are a public authority. Some public entities may be exempt from the requirement.

What does GDPR preparation cost?

The cost can vary greatly. According to a March 2018 survey, most companies will spend less than $1 million. Only about 10 percent expected to spend more than $1 million. 

Does the GDPR affect third-party and customer contracts?

The GDPR places equal liability on the company that owns the data and the outside organizations that help manage it. All existing contracts with processors, ranging from cloud service providers to payroll service providers, must spell out data privacy responsibilities. They must also define consistent processes for how data is managed and protected, and how breaches will be reported.

Client contracts also must reflect the regulatory changes. Those contracts can take various forms, such as formal agreements regarding how you view, access, and process data, as well as online click-throughs.

What happens if my company doesn’t comply with the GDPR?

Failure to comply can be expensive. There are fines of up to four percent of total global turnover if rules in the GDPR are breached.

Are there specific things my company needs to do?

One of the key tasks is to make sure your business leaders, IT, and security teams understand what data you have, what you do with it, where it’s being stored and/or processed, who has access to it, and where it’s being exported outside the company. From there, you can develop and implement the necessary policies and procedures to ensure GDPR compliance.

Is there anything else?

There’s far too much to cover about GDPR in a single blog. Your best course of action is to talk to a GDPR compliance expert. Also make sure you talk to your vendors and other third-party partners about their plans for GDPR compliance.

If you’re a US Signal customer, or considering becoming one, we’ll be happy to provide you with information on how we’re dealing with GDPR compliance. Call us at 866.2. SIGNAL or email: [email protected].