The General Data Protection Regulation (GDPR) is a regulation that is intended to strengthen data protection for individuals within European Union (EU) countries. It was adopted in April 2016, replacing the outdated data protection directive from 1995. The primary objectives of the GDPR are to give people more control over their personal data, to help protect personal data from the risk of loss, and to unify regulatory privacy and data requirements within the EU.
The GDPR will go into effect May 25, 2018. However, it is vital that any enterprise who conducts business in the EU understands the overall design of the GDPR and why preparing their technology and processes now for this new legislation is so critical.
The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.
Due to technology changing so rapidly, no one could have predicted how the Internet, smartphones and the widespread use of social media applications such as Facebook and Twitter could have global implications.
As a Regulation, the GDPR enacts a uniform data security law across the EU. Each EU country will no longer need to pass their own legislation for data security; the GDPR will be the guiding law. However, EU countries can still regulate certain types of data such as health data.
Summary of GDPR Requirements
- Applies to all organizations located in the EU and all organizations outside the EU offering goods & services to individuals in the EU
- Businesses must safeguard and encrypt personal data, and report any breach quickly.
- Individuals must be informed of: who is collecting their data, what is being done with it, and who it is shared with.
- Individuals must consent to all personal data that is being obtained by the business.
- Individuals have a set of rights, including the rights of access, to object, to erasure and to restrict processing.
- A business must be able to demonstrate compliance by tracking each use of personal data
- A business must provide data usage tracking reports to individuals and authorities upon request.
If you are currently doing business in the EU, you may already have privacy processes and procedures in place. The new question to ask is will the old version hold up to the new GDPR regulations and requirements? To ensure that your enterprise is GDPR compliant, you will need to review your consent policies and procedures to verify that these meet the new higher standards.
The GDPR allows for steep penalties of up to €20 million or 4% of global annual turnover, whichever is higher, for non-compliance. According to a report from Gartner, 52% of companies believe they will be fined for non-compliance. It has been predicted that the EU could collect as much as $6 billion in fines and penalties in the first year.
How We Can Help
We have experts to understand the impact the GDPR requirements can have on your operations and will bring procedural and technological expertise to your organization regarding these issues. Creedpro can help you determine your preparedness and then recommend appropriate solutions and services.
Wikipedia – https://en.wikipedia.org/wiki/General_Data_Protection_Regulation