The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) will come into effect May 25, 2018, replacing the existing data protection framework under the EU Data Protection Directive. It is the most comprehensive piece of privacy legislation developed by any jurisdiction to date.
Consequences of non-compliance are significant, starting with fines of €20 million and going as high as 4% of global turnover, plus other sanctions including the ability to halt trading in the EU. Companies and businesses will be subject to GDPR regulations if they “control” or “process” personal data of EU individuals.
Is the GDPR relevant or applicable to my organization?
In general, companies or businesses will be subject to GDPR regulations if they “control” or “process” personal data of EU individuals. This includes:
- Any business that holds, controls, or processes personal data of EU residents. Any company that holds personal data of EU residents – whether they are customers or employees.
- Organizations that operate businesses that are established in a member state of the EU.
- Organizations that offer goods or services to individuals in the EU, irrespective of whether a payment is required.
- Organizations that monitor the behavior of individuals in the EU, where that behavior takes place within the EU.
This regulation imposes new obligations and stricter requirements on all organizations involved in the processing of personally identifiable data of EU residents, emphasizing transparency. A summary of key requirements include:
- Personal Data. Under GDPR, the extended definition now includes direct and indirect identification.
- Accountability. New regulation requires mandatory accountability culture, privacy management activities and record keeping with compliance policies.
- Vendor Management. Liability now includes both data controllers and data processors, making vendor management a critical aspect.
- Data Protection Officer (DPO). Under certain circumstances, requirement for an assigned and empowered DPO to ensure compliance.
- Breach Notification. Organizations must report data breaches within 72 hours of identification.
- Privacy Impact Assessments. Regular testing, assessment and evaluation of effectiveness of technical and organizational measures.
- Expanded Personal Privacy Rights. Additional rights of access, notice, consent, portability, profiling and erasure.
- Privacy by Design and Default. Embed privacy related technical and organizational measures into design and by default, and only process personal data where necessary.
Are you ready?
The General Data Protection Regulation will change data policies as we know it. With 99 articles across 88 pages, it is essential that companies understand the intricacies of the new regulation and its impact on their organization. Let us help you get ready.
To discuss any concerns you may have, please get in touch today.
Partner in Charge, Risk Assurance & Advisory Services
RAAS Practice Leader
Partner in Charge, Information Security Assessment Services
Partner in Charge, IT Audit and Compliance Group