5 Key Changes on the Way
Although nearly a year away, the EU’s new General Data Protection Regulation (GDPR) is fast-approaching for multinational companies, and the clock is ticking to ensure compliance. The changes coming will have far-reaching implications for global businesses: any company operating in the EU must comply or face steep financial penalties.
It’s hard to believe that we’re now less than one year out from the implementation of a major change to data protection laws in Europe: The General Data Protection Regulation, or GDPR. It is the result of four years’ work by the European Union (EU) to standardize privacy laws and protect residents of the EU from the misuse of their personal data and data breaches in an increasingly digital world.
Most of the personal data protection laws in the EU haven’t been updated since the 1995 Data Protection Directive. In 1995, only one percent of the European population was using the internet. Now, not only is the majority of the global economy digital, but many companies are operating globally and processing personal data across borders. The EU Parliament established the GDPR framework as a way to update and harmonize the laws specific to the usage of millions of individuals’ data.
With these regulations, which take effect on May 25, 2018, come a number of major implications that reach beyond the borders of the EU’s 28 member countries. In fact, any company that stores, processes or touches data coming from Europe will need to comply with GDPR. A recent survey by Compuware® found that 52 percent of large U.S. companies acknowledge they possess EU customer data, which means they’ll need to comply with GDPR even though they are based in the United States.
According to a global survey by Dell®, more than 60 percent of companies say they have not begun preparing for GDPR. This could be problematic. With GDPR, the onus largely will be on companies to ensure and demonstrate they are in compliance. It’s important for companies to understand what’s new about the law versus what was already required and implemented within their organizations in terms of data protection and privacy. Once you know that, you can determine current gaps and take the proper actions to be in compliance when GDPR goes into effect.
Here are the key changes of the regulation, along with what you need to know to ensure your company is prepared to comply:
Under GDPR, penalties for noncompliance will be much larger than they were in the past. Previously, noncompliance fines were managed on a country-by-country basis, where each penalty was assessed by the country in which the noncompliance occurred. GDPR harmonizes these regulations and fines. If you infringe upon the law, the fine could be up to €20 million or 4 percent of your company’s worldwide revenue, whichever is higher. Additionally, supervisory authorities in the EU will define consistent scaled layers of sanctions that will be delivered based on the severity of the offense.
Greater Accountability on the Part of the Company
Currently, companies that process data rely on the regulatory bodies of their country to check that they are meeting standards. Under GDPR, companies now will have to conduct their own self-assessments to ensure they are compliant with the law. No governing body will proactively tell a company, “Yes, you can move forward with this processing, it’s compliant.” Rather, it’s the responsibility of companies to ensure they are in compliance and to ensure their vendors, suppliers and other partners are complying with the law. Additionally, if something goes awry, companies will have to take the proper steps to prove they’ve done a data protection-impact assessment to show they adequately addressed the issue.
Greater Individual Rights and Breach Notification
GDPR will grant people more control over how their personal data is processed, used and retained. Additionally, the law will also implement mandatory breach notification, which is already in place in some states in the U.S. but is rare in Europe at the moment. If there is a data breach, companies will have to notify regulators (supervisory authorities in the EU) about the case and, depending on the level of risk, may also have to notify individuals.
Transferring Data Outside of the EU
Binding corporate rules are policies covering transfer of data to countries located outside of Europe that do not provide an adequate level of protection according to the European standards. Companies planning to or already using binding corporate rules will be showing their commitment to protect personal data in accordance with the standards required in the EU, regardless of where the European data is processed, accessed or hosted.
Facilitating Business Operations
There’s no doubt complying with GDPR will be demanding for companies; however, GDPR will benefit organizations due to the fact that harmonized regulation across Europe will help facilitate business operations and eliminate some paperwork. Globally, as the world moves toward greater individual data privacy rights, businesses already prepared to protect data are less likely to miss out on potential business from clients around the world.
While GDPR consists of 99 articles, in the end, all of the requirements won’t be entirely new to companies. If you’re still learning about GDPR, act now to ensure you fully understand the regulation, perform a gap analysis that inventories your organizations’ current data processing and then put in place measures to ensure you’ll be in compliance with GDPR on time and beyond May 2018.