GDPR is a buzzword that has been in the news frequently these past few months. GDPR, which stands for General Data Protection Regulation, affects more EU businesses than any other data security legislation in the last 20 years. However, EU citizens are not the only ones who should be concerned; the legislation will impact many US companies, as well. This legislation will go into effect on May 25th of this year, so if any US companies have not made the changes required by GDPR, they should act now.
What is GDPR?
GDPR is a regulation that was created to update a law known as the 1995 Data Protection Directive. The 1995 Directive was originally created to protect the data of EU citizens by imposing certain restrictions on companies who performed data processing in EU member states. While GDPR certainly improves upon the 1995 Directive, it does not deviate from its overall goals. The personal data (name, IP address, state identification number, etc.) and the sensitive data (political views, sexual orientation, genetic data, etc.) of EU citizens or individuals visiting the EU are safeguarded under this new and improved law.
GDPR makes many important changes to EU privacy law, and here are a few of the more important clauses:
- GDPR expands the reach of the 1995 Directive. Previously, only companies working in EU member states were bound by the law, but today, companies in all jurisdictions who control data originating in the EU must comply. In other words, companies located outside of the EU may be subject to GDPR, including many US companies.
- Noncompliance penalties have been expanded. The steepest fines are 4% of worldwide annual revenue and can reach a maximum of €20 million.
- GDPR grants EU citizens the right to control their own data. They now have the right to:
o access their own data upon request;
o choose that their data be erased and forgotten;
o know when and how their data is being used;
o be notified of data breaches timely; and,
o update their data as needed.
- Many organizations are required to hire a Data Protection Officer (DPO). This position acts as a liaison between the company and EU member states.
- Affected parties must be informed of data breaches within 72 hours after the company becomes aware of the breach. According to the National Conference of State Legislatures, 47 US states have data breach notification laws, but until GDPR was passed, the EU did not have any such conditions.
Am I Subject to GDPR?
The location and scope of a business’s activities are more relevant to GDPR compliance than is the physical location of company offices. Any organization that handles, stores, or processes personal or sensitive data originating in the EU must comply with GDPR. Even showing an intent to work with the data of EU citizens could trigger a compliance requirement. If you are an e-commerce business, for example, this could be something as simple as having a Euro (€) currency option on your website, translating your product descriptions into the language of an EU member state, or actively advertising to EU citizens or travelers in some other form.
What Do I Need to Do?
At the May 25th effective date, all businesses subject to GDPR should be able to prove that they have adequate data security measures implemented in their business practices. If you are one of these companies, you should start by assessing your existing procedures. What data do you collect, and how is it stored? Which third parties have access to the data, and how much freedom do they have with it? Do you have a process to inform your customers how you’re using their data? How do you handle security breaches? Once you are familiar with your existing procedures, you can plug any security holes that you discover.
A few changes you might need to make to become GDPR compliant are:
- Rewrite your security agreements to make them easier to understand
- Create a way for your customers to access their own information and change it if necessary
- Have stringent security requirements that third parties must follow when accessing sensitive or personal data
- Know the safest ways to store and transfer data
- Train employees on GDPR compliance
- Hire a Data Privacy Officer
- Update permissions to allow only key workers to access important data
- Schedule a compliance audit with an outside source
LaPorte’s Risk Advisory Services team has assessments and programs that help our clients assess their readiness for GDPR compliance. We know that this could incite a major overhaul of your business practices, so if you have any other questions about this new legislation, please contact a member of our Risk Advisory Services team.