In early 2012, the European Commission began to draw a new plan for data protection reform that would apply to the European Union.
After over four years of debate, an agreement was made and the General Data Protection Regulation (GDPR) was approved and unveiled in mid-2016. All nations of the European Union have transferred the rules and regulations of the GDPR into their own laws, and it will officially go into effect at the end of May in 2018.
What is the purpose of the GDPR? In essence, it’s designed to give the citizens of the European Union more control over their personal data. The law applies to any business physically located in the EU, as well as to any businesses and companies outside of the EU who offer their products or services to citizens of the EU.
This means that even if your business is located in the United States, if you sell products and services to EU citizens, you will need to be compliant with the rules outlined in the GDPR.
Here are the five biggest things you need to know about the new General Data Protection Regulation:
1. Businesses Will Need A Data Protection Officer
Once the GDPR officially goes into effect in May 2018, all businesses impacted by it will need to hire a data protection officer (DPO).
The role of the DPO will be to teach you about meeting GDPR requirements and making sure you are compliant with them. They will report directly to the highest level of management in your company and to the regulatory authorities.
2. Fines For Non-Compliance Are Large
Even if you are aware of the fact that your company needs to be compliant with the GDPR, purposefully deciding not to be compliant will be a major mistake assuming you still want to do business with customers who reside in the EU.
The highest fine for non-compliance is the higher between twenty million euros or four percent of your total global revenue. There are additional fines you may face as well, such as a two percent find for failing to notify the regulatory authority about a breach.
3. You Must Gain Customer Consent To Store Data
Are you going to be storing important personal data from your EU customers? If so, you must now get their consent to store that data. This is different from before, where you didn’t have to gain consent but customers were allowed to opt-out of allowing you to store their data.
In addition, you must also keep a record of when the customer gave their consent. The customer also has the right to withdraw their consent whenever they choose.
4. The Definition of Personal Data Has Changed
Alright, so you need to gain consent from an EU customer to store personal data. But what even counts as personal data in the first place?
The definition of personal data under the GDPR rules is more broad in contrast to how it was before. IP addresses, card payment info, names, addresses, cultural information, medical information, and virtually any kind of data that can be used to help identify a person now counts as personal data (which again, you must gain consent to store).
5. You Must Report Any and All Data Breaches
If you have any data breaches of any kind, it is your sole responsibility to report them to your data protection authority within seventy-two hours at the most.
Yes, it’s likely that you won’t know all of the details concerning the breach within that narrow of a time frame. Nonetheless, you will still need to at least make contact with your data protection authority and tell them everything you know at the present time. As you continue to gain more information, you’ll need to communicate that information to the authority as soon as possible.
Specific information that the data protection authority will definitely want to know include the time of the breach, how many of your customers are affected by it, and any actions you have already taken or plan to take to respond to it.
What To Know About GDPR
So long as your business either is located in the EU or sell your products or services to citizens within the EU, you will need to be compliant with the new laws and regulations put in place by the GDPR.