Have you been hearing about the General Data Protection Regulation? Do you collect, use, or process personal data of subjects in the European Union? What is GDPR? Who must comply? How can you prepare? Should you complete a GDPR assessment? With the repercussions of data breaches hitting the headlines more often every day, it’s important to understand how this privacy legislation is going to affect your business and to ask yourself: are you ready for GDPR compliance?
What is GDPR?
The Data Protection Directive (DPD) has been in place for 20 years, setting a minimum standard for data protection laws in European Union Member States. Many of these states have taken legislation to the next level when it comes to protecting personally identifiable information, making it increasingly difficult for EU citizens to know how their rights and information are being protected across Europe, and for organizations to determine which laws apply when working across multiple Member States.
Born out of cybercrime threats, technology advances, and concerns about data misuse, this legislation will require all data controllers and data processors that handle personal data of EU residents to “implement appropriate technical and organizational measures…to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.” GDPR is enforceable and is equivalent to a US Federal Law, and failure to comply with GDPR can lead to fines of up to €20 million or 4% of annual global turnover – whichever is greatest.
Who Must Comply with GDPR?
GDPR applies to any entity collecting, using, or processing personal data of any data subject in the European Union. It’s important to note that this doesn’t just apply to organizations working within the EU, but also any organization in the world providing services to data subjects within the EU, and according to a general consensus, approximately 66% of US companies will be subject to this data protection law. GDPR requires organizations based outside the EU to nominate a representative organization within the EU where the target data subjects are based, and must be mandated by the data controller or processor to be addressed by the supervisory authority or data subjects on all issues relating to the processing of personal data.
What is Personal Data?
According to GDPR, personal data is defined as any information relating to an identified or identifiable person, or data subject, who can be identified by a name, an ID number, location data, or physical, physiological, genetic, mental, economic, cultural, or social identity.
What is a Data Controller?
The data controller is the organization that determines the purpose for processing personal data and what processing will be done. Processing, according to GDPR, includes the collection and storage of information. It is possible for an organization to be accountable as the data controller, but not otherwise involved with any actual processing of personal data.
What is a Data Processor?
A data processor is any organization or entity that processes personal data on behalf of a data controller. Processing is essentially anything done to the data, including storing, archiving, or reviewing. It is possible, and sometimes common, for an organization to be both a data controller and a processor.
GDPR became effective May 25, 2018, so if you’ve not begun preparing, you should start now. In a highly data-driven world, it’s our responsibility to help protect organizations from data and privacy breaches. For more information on how you can complete a GDPR assessment, contact us today.