19 Jan REMINDER: GDPR IS RIGHT AROUND THE CORNER
The time is ticking for the impending European General Data Protection Regulation (GDPR) enforcement deadline on May 25th, 2018. GDPR is a significant update of the existing 1995 EU Directive (95/46/c) and comes with massive penalties that can reach the greater of €20 million or 4% of global annual revenue.
Companies that do business in any of the 28 EU member countries or process the personal data of EU citizens must comply by May 25, 2018. We are going to do a four-part series to educate the enterprise on what the changes are, who is affected, key requirements, implications, preparedness, and potential penalties.
- Part 1: What is GDPR and who is affected
- Part 2: Security requirements
- Part 3: How to Prepare for GDPR
- Part 4: GDPR penalties for not complying
Here are some basic definitions:
Personal data and data subject – “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Example: You work at an enterprise company, and as your employer, it holds your personal data. You’re the data subject.
Controller – “person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.“ Example: A bank collecting personal information from its employees is the Controller.
Processor – “person, public authority agency or any other body which processes personal data on behalf of the controller.” Example: A payroll company processing employee paychecks on behalf of the bank company is the Processor
A common question we are asked frequently:
Your company is tasked with projecting a European company’s revenues for the next three years. You sit in the US but use personal data provided to you by your client that is collected in the EU. Because the data is collected in the EU, it is subject to GDPR requirements.
You operate an online website allows people to shop for and buy products. The US-based company that owns the retail storefront collects personal data about the people that visit and make purchases. If a person visits the website while they are physically present in the EU, the requirements of GDPR follow the personal data collected during their visit. The website will have to comply with GDPR for all EU citizens that go to the site.
Our next blog will address some actual security requirements. Please stay tuned.