The European Parliament adopted the General Data Protection Regulation (GDPR) on April 14, 2016 as a measure to improve the levels of protection of European Union citizens’ data. It is designed to harmonize data privacy laws across the EU. The regulation will go into effect on May 25, 2018.
If you are a North American company doing business with EU countries (i.e. processing the data of any EU citizen) you need to be aware of the following:
- The GDPR requires that any company doing business in the EU, no matter the size, must securely collect, store and use personal information. Smaller companies will face fines for violations that may occur.
- Fines for non-compliance can be as much as $21 million, or 4 percent of your organization’s annual worldwide turnover, whichever is greater.
- The regulation upholds the “right to be forgotten.” Consumers can ask companies to remove personal data that’s made public and companies must comply.
- The law requires companies to report breaches to consumers within 72 hours.
How Can North American Companies Prepare?
- Employees of the organization need to be educated on the regulation’s importance and the role they have to play.
- Organizations must have an inventory of all personal data they hold.
- Review all current data privacy notices alerting individuals to the collection of their data.
- Review privacy policies and procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically.
- Review current access rights and how they could change, update procedures and plan how requests within new timelines will be handled.
- Review your current methods of handling and/or processing data, ensure you’re covered legally, and document the methods and/or procedures.
- Review policies and procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically.
- Review how customer consent is sought, obtained, and recorded.
- Review the procedures that are in place to detect, report, and investigate a personal data breach. Always assume a breach will happen at some point.
- Make sure that someone in the organization or an external data protection advisor takes responsibility for data protection compliance.