The General Data Protection Regulation (GDPR) will officially become law on May 25, 2018, after a two-year transition period. Any organization inside or outside the European Union (EU) that handles the personal data of EU citizens — whether they’re customers, employees, vendors, investors or donors — must comply with the new regulations or face unprecedented penalties.
What Is the GDPR?
The GDPR is a new framework of data protection laws that will replace the Data Protection Directive of 1995. The goals of the GDPR are to strengthen the protection of personal data, give EU citizens more control over their data, bring more accountability to the use of personal data, and simplify the regulatory environment for non-European organizations.
Key Provisions of the GDPR
The International Association of Privacy Professionals has outlined 10 key provisions or operational impacts of the GDPR, including a number of new protections and severe penalties and fines for noncompliance. Data controllers are organizations that collect data. Data processors are organizations that process data on behalf of data controllers or data subjects, who are the people whose personal data is being collected and processed. Here is a summary of the top operational impacts:
- Data Security and Breach Notification Standards. Data controllers are required to work with processors that have technology and processes to meet GDPR requirements. People whose data is compromised must be notified within 72 hours.
- Data Protection Officer. Data controllers and processors must designate a data protection officer to oversee GDPR compliance.
- The definition of consent has been restricted to “a statement or clear affirmative action” and does not include implied consent or simply providing an “opt out.”
- Cross-Border Data Transfers. Data may only be transferred to countries that can provide “adequate” data protection as determined by the European Commission.
- Automated data processing designed to draw conclusions about data subjects, and actions taken based on those conclusions, are restricted.
- Right to Be Forgotten and Data Portability. Individuals have the right to request the deletion of their personal data by all controllers and have their data transferred to another controller.
- Vendor Management. The processing responsibilities of data controllers have been expanded, and controller-processor contracts require significant detail to ensure accountability.
- Personal data must be rendered anonymous to make it impossible to link data to an identity without additional, separately held information.
- Codes of Conduct and Certifications. Data controllers and processors are encouraged to establish codes of conduct that support GDPR compliance. Certifications are required to demonstrate compliance.
- Penalties for Violations. There are two tiers of fines — 20 million euros (about $23.5 million) or 4 percent of annual turnover, whichever is greater, and 10 million euros or 2 percent of annual turnover, whichever is greater.
Although the GDPR is just a few months from going into effect, few organizations are ready. A report from Dimensional Research revealed that, as of November 2017, just 18 percent of organizations claimed to be fully prepared to comply with the 72-hour breach notification requirement. According to the 2018 Eye on Privacy Report from MediaPro, 59 percent of employees in the U.S. admitted to being completely unaware of the GDPR.
Tick, Tick, Tick…