Are you prepared for new General Data Protection Regulations?
If you manage businesses in the EU, there are sweeping data privacy changes taking place. The new General Data Protection Regulations (GDPR) are the most significant changes to data privacy in over 20 years. The goal of the new requirements is to protect all EU citizens from privacy and data breaches, and these updates are the most comprehensive since 1995. Consumer privacy and data protection has been in the news recently, with many data breaches coming to light months after they have occurred, leaving consumers unprotected. These new requirements will hold companies responsible and ensure consumer data protection and privacy. If you manage or process data in the EU, here is a quick guide to the changes:
Jurisdiction: The largest change to the GDPR is related to jurisdiction. All companies, regardless of location and whether they were established in the EU or not, will be subject to the new GDPR regulations when processing personal data of EU citizens. Any organizations found to be non-compliant with the GDPR can be fined up to 4% of annual global revenue or 20 million euro (whichever is greater). That is the maximum fine imposed for the most serious offenses, and there is a tiered approach to penalties. The penalties apply to both controllers and processors, so all companies processing data need to ensure compliance to avoid fines.
Consent: Changes have also been made to the consent conditions. Companies can no longer use long, confusing terms and conditions to explain consumer rights. The request for consent has to be easily accessible, and the reasons for the data processing must be attached to that consent. The consent form must be easy to ready and it must also be easy to withdraw consent.
Data Breach: New policies related to a data breach have also been updated. In all member states, a data breach that could “result in a risk for the rights and freedoms of individuals” must be done within 72 hours after becoming aware of the breach. This is to avoid instances when a breach has been discovered and not made public for months, exposing customers to risk of their personal data being used by others.
Privacy by design: Privacy by design is another new requirement of the GDPR. When a system is developed, data protection must be included from the beginning, not an additional system added later. There will no longer be a requirement to report to local DPA (Data Protection Officers), as most member states have different notification requirements. Previously, the reporting to local DPAs was problematic for companies due to the inconsistencies and differences in requirements.
The enforcement date for the new requirements is May 25, 2018, and companies found to be non-compliant will face heavy fines. If you are processing personal consumer data, you must have your global systems in place to accommodate these changes by May 2018. These new consumer protections will help secure personal data, and ensure companies are using best practices when processing personal information. Stay tuned for updates and upcoming webinars related to GDPR in the next few months – we’ll keep you updated and informed so you stay compliant.