5 Things You Need to Know About GDPR Right Now

The General Data Protection Regulation (GDPR) is a directive that requires companies to protect the personal information of citizens living within the European Union. The law applies to businesses that reside in Europe, as well as those that exist elsewhere but do business with European entities. The regulation defines ‘personal data’ as any information relating to an individual. As a result, it encompasses an individual’s name, address, email address, bank records, social media data, medical information, computer IP addresses, photos, and more.

GDPR will take effect on May 25, 2018 and requires businesses to adopt a strict set of guidelines to maintain compliance. The regulation requires companies to enact a ‘reasonable’ level of protection for personal data, which, given how broadly it is defined, will be a real challenge for organizations in the months ahead. With this in mind, Solutions Review has compiled the ten most important things that companies need to know about GDPR to get them ready for the regulation’s rollout next year.

The objective is clear

GDPR will replace the Data Protection Directive of 1995. Its primary goal is to give individuals more control over their data, as well as provide protections against those that may mishandle personal information. The law will act as a framework to ensure that all the world’s businesses adhere to the same set of standards when handling data belonging to Europeans from the 28 member nations.

GDPR has a global reach

The regulation has an increased scope of applicability in that it requires all non-EU companies to comply with the new regulations so long as they process or control data belonging to European citizens. Businesses that process the data of EU citizens are now responsible for appointing a representative in the EU for overseeing practices.

GDPR will impact virtually every company

The regulation’s requirements will force the majority of US-based companies to alter the way they collect, process, and store personal customer data. Consent rules have changed to make it easier for individuals to decide what data they share, and erasure is required upon request. Personal data must be ‘portable’ from one company to another, while data breaches must be reported to supervisory authorities and individuals within 72 hours of detection. Companies will be responsible for a much larger degree of legal liability once the law goes into effect.

Non-compliance penalties are steep

Organizations in breach of GDPR can be fined up to 4 percent of annual global turnover or €20 million (whichever is greater). However, there is a tiered approach to fines which depends heavily on the offense. The fines apply to both controllers and processors, which means that the regulation will be enforced on cloud providers as well. There is some uncertainty as to how penalties will be assessed by the governing body, but the expectation is that non-compliant companies will be dealt with early on to set a precedent.

Compliance is not one-size-fits-all

Two hallmarks of the legislation that all organizations must incorporate are ensuring a singular person is responsible for data protection (data controller), and following breach notification protocols. GDPR compliance will take on many shapes and sizes, and companies will need to look internally at which gaps they need to fill to meet the minimum standards. Businesses should assess both technical and organizational measures to meet those standards. GDPR will affect businesses in specific industries more than others. For example, it does not supersede any legal requirement that forces a company to maintain certain data (HIPAA comes to mind).

Data protection, governance, and backup and recovery will make up the backbone of compliance with GDPR standards. To assist you in your search for the best possible tool for this upcoming regulation, check out our data management solutions directory, or download our buyer’s guide below.