General Data Protection Regulation (GDPR): Key Facts You Need to Know

April 16, 2018

 Companies that do business in the European Union will need to comply with strict new rules regarding consumer data when the GDPR (General Data Protection Regulation) goes in to effect on May 25, 2018. 

The goal of the regulation is to set a higher standard for consumer privacy rights and to set up a compliance framework that holds companies accountable for how they process and handle personal data. This applies to the personal data of residents in the European Union, regardless of the company or firm’s location.

Key Facts

  • GDPR affects any company that stores or processes personal data about citizens in the European Union within the EU states, even if they do not maintain a business presence in the EU.
    • This means a US-based company that has a web presence and actively markets their products to EU citizens.
    • For EU citizens that are outside the EU when their personal data is collected, the GDPR would not apply.
  • Fines for non-compliance can be up to 4% of annual global turnover or €20 million, whichever is greater. 
  • Organizations can also be fined 2% for not having their records in order - including not returning or deleting personal data as instructed and not having a system in place to demonstrate compliance/provide an audit trail. 
  • The GDPR defines parties as either data ‘controllers’ or ‘processors’ when defining process implementation and accountability. A data controller is responsible for how and why personal data gets processed and handled. A data processor is actually processing the data on behalf of the data controller.
  • Non-compliance fines apply to both controllers and processors, meaning data stored in the cloud will not be exempt from GDPR enforcement. 

Impact on Organizations

Organizations that regularly store and handle personal client data and confidential information, putting them under the purview of the upcoming GDPR enforcement. 

Since the GDPR places greater emphasis on responsibility and accountability, organizations need to evaluate whether they have systems in place that clearly define how personal data from both clients/customers and employees is collected, stored, and used. It’s important that organizations consider how to keep and maintain an accurate record of the personal data that is in their possession, and be able to show how it was collected.

According to the EU GDPR website, personal data is defined as “any information related to a natural person…that can be used to directly or indirectly identify the person.” It can be anything from a name, a photo, an email address, bank details, posts on social networking sites, medical information, or an IP address.

This means organizations will be forced to not only inventory their digital assets, but manage their life cycle in a visible, legally defensible manner.

While there are still questions about enforcement of these regulations for companies that are outside of the EU, U.S. companies with a strong web presence should be proactive in updating their data collection and privacy procedures to ensure GDPR compliance.