Find news, events, articles, videos, and more that answer your questions and keep you up-to-date.
Visit Resource Center
Stay informed on compliance updates
Approved in 2016 by the European Union (EU), GDPR overhauls and modernizes existing data laws, many of which date to an era before widespread Internet accessibility. One major change is that the guidelines in the existing data protection directive (Directive 95/46/EC) are non-binding. GDPR is, in fact, a “regulation” which needs to be complied with in certain circumstances.
Now, with GDPR implementation looming (the new regulations go into effect on May 25, 2018), organizations should be reviewing the impact of these changes with some urgency, and determining how to best navigate the shifting data protection landscape.
For those with only passing familiarity, GDPR is the result of an effort by the European Parliament and other governmental bodies to strengthen data protection for those living in the EU, while also providing greater uniformity to existing data laws. Residents of the EU will gain a greater measure of control over their data (and how it is used), by parties both inside and outside the EU. Meanwhile, the new regulations will make data protections more uniform across EU member states, allowing for easier compliance from outside nations.
It should be noted again that GDPR is not a recommendation, but rather a law that governs the data privacy and protection of the EU citizenry.
GDPR stands in contrast to the EU-US Privacy Shield, an agreement between European Commission and the U.S. Government (formally approved in 2016), that set up a system where individual companies could be certified as having adequate data protection measures in place before transferring information. U.S. firms could self-certify (on a voluntary basis) by submitting an application to the Department of Commerce. While this agreement remains in place, the implementation of GDPR essentially renders it obsolete, making it an unadvisable choice for further investment.
Privacy: a fundamental right for EU citizens
The notion of a right to privacy in the context of data is particularly well-defined in Europe. Unlike other regions where data protections are weaker or virtually non-existent, Europe has remained positioned at the vanguard on this issue. Public sentiment for vigorous data privacy protections is strong, one reason why the EU has moved to modernize and strengthen regulations. The change promises to be profound. Elizabeth Denham, U.K. Information Commissioner, calls GDPR “the biggest change to data protection law for a generation.”
While this can be viewed as a net positive for EU citizens, the specter of tightened regulations has presented a whole host of legal and technical challenges for firms doing business in the EU. Effectively complying with these changes is a significant concern for many businesses, as EU leaders have introduced stronger sanctions and stricter enforcement in an effort to encourage close compliance. Should violations occur, regulators can now assess a fine of up to 20 million euros (21.4 million dollars) or four percent of the prior year’s global turnover, whichever is higher.
GDPR applies to organizations outside the EU
The legislation applies to any organization that handles, processes, and especially exports EU citizens’ data outside the Euro Zone, even if that company is not based in Europe.
Example: A U.S.-based company with a website collecting personal data of EU citizens where that website is hosted outside the Euro Zone would be subject to GDPR rules.
These provisions are uniform across all 28 EU member states and rise to a standard that is exacting enough to require a significant commitment of resources on behalf of compliant companies.
Adding to the complexity, all 28 member states retain the power to add localized jurisdictional regulations governing data protection, so long as these regulations do not conflict with GDPR provisions. While this may help EU nations create regulations that are more relevant in home markets, it complicates things considerably from a compliance perspective. Companies will need to invest in some form of monitoring or tracking of evolving local data privacy regulations in order to encourage full compliance.
Businesses, generally speaking, will require board-level support to enact many of these changes. Those firms that fail to address the challenges of GDPR risk not only significantly elevated sanctions but also reputational damage. On the positive side, implementation of GDPR is an opportunity for businesses to demonstrate how seriously they regard the challenge of modern data protection.
Organizations seeking to meet the challenges posed by GDPR should be cognizant of the key changes that will come into effect once the law is implemented. These changes include, but are not limited to, the following:
Additionally, GDPR will introduce several new privacy requirements that depend on certain parameters being met. For example, companies must appoint a Data Protection Officer (DPO) if they are a public authority, if they carry out systematic monitoring on a wide scale, or if they process criminal data on a large scale.
Organizations with more than 250 employees must also maintain additional internal documentation of data processing that involves sensitive or high-risk elements. This includes data regarding criminal offenses and other specialized categories.
Finally, organizations struggling to meet the new data privacy mandates will be able to conduct Data Protection Impact Assessments. These are tools that help groups identify how to best safeguard information and mitigate any developing problems at an early stage.
In order to fully prepare for the most significant changes and compliance challenges related to GDPR, organizations should take note of a few key takeaways.
By focusing on these key takeaways, organizations can help ensure that they are well-positioned to meet compliance demands and escape potential financial or reputational damages.
If you haven’t already, start planning now and seek to develop “buy-in” from key members of your organization. Because satisfying GDPR’s new data protection provisions may require drafting a new set of procedures, large organizations could see significant implications with regard to budgeting, governance, IT, communications, and so on.
You should also be aware that GDPR regulations will not have a uniform impact on all organizations or on every part of an organization, as the type of data that’s handled and other variables can change how and when regulations apply. Because of this, map out the areas where GDPR will have the most impact on your organization and dedicate resources accordingly.
With a comprehensive plan, organizational leaders can help ensure they remain compliant with GDPR mandates—while avoiding stiff penalties and reputational harm.
ABOUT THE AUTHOR
James Cusick is the Chief Security Officer & Director of IT Operations. He is responsible for systems planning, IT Operations, Infrastructure Services, Product Support, and Information Security at CT Corporation. Previously, James led software engineering teams for CT, creating large scale B2B applications. Prior to that, he held various technical leadership roles at AT&T, AT&T Labs, and Lucent’s Bell Laboratories’ Software Technology Center. He is a member of the IEEE and a current Project Management Professional. James is a graduate of both the University of California at Santa Barbara and of Columbia University in New York City.
More in Compliance Solutions
More in Staying Compliant