- Do we offer goods and services to people in the European Union (“EU”)?
- Do we have third parties which store or send data to the EU?
- Do we collect or analyze any data of EU residents?
- Do we have any EU citizens as part of our workforce?
The new data protection law was adopted by the EU in April 2016 and is intended to bolster data protections for EU residents. The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. Companies, government agencies and non-profits interacting with EU residents have until May 2018 to comply.
The GDPR defines scope as:
- Organizations who offer goods or services to individuals in the EU (even if they are based outside of the EU)
- Non-EU based organizations conducting monitoring activities in the EU which entail the processing of personal information
Some of the key privacy and data protection requirements of the GDPR include:
- Requiring the consent of subjects for data processing
- Making collected data anonymous to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
What is the cost of non-compliance? How about maximum fine of 4% of your total revenue or €20 million Euros (about $21.9 million dollars), whichever is higher. Companies can be fined if their outsourced data host or processor is breached, meaning your circle of control must extend outside your corporate walls.
While GDPR represents an important step forward for individual privacy rights, it will require vast changes and potentially significant investments by organizations around the world to comply. The good news is that existing privacy methodologies can be leveraged to assess potential gaps and provide guidance to the organization. The time is now to develop your plan of attack, dig deep into your data to better understand your potential exposure, and begin your journey towards compliance.
So where do you start?
- Start planning – if the processes hasn’t already been started, then get moving. The significance of this regulation warrants a dedicated resource to oversee the adaptation of business processes in response to it. Your first step should be to put together a team to develop and execute the strategy
- Review data management processes – the team should give consideration to the information your company currently holds. They should review existing supplier contracts and conduct an assessment of what personal data the company currently stores, how it is being used, to whom it is being disclosed and where it is being transferred. A full and comprehensive understanding of your current data privacy position will make life easier further down the line
- Put data breach reaction procedures in place – for a company that does not have existing procedures for notification of data breaches to the data protection authority, the creation of a protocol will be critical. In the event of a breach, timing, accuracy and transparency are key and failure to respond appropriately could have significant consequences.
Gilmore Jasion Mahler, LTD (“GJM”) has recently launched a GDPR networking series bringing together companies in our market that are working towards their compliance goals. This series is an important step in facilitating knowledge sharing and real life examples of how companies are attacking this issue. If your company is interested in participating, please contact us at (419) 794-2000.