What is the GDPR?
The GDPR stands for the General Data Protection Regulation. This measure was passed by the European Parliament and European Commission. The goal is to promote increased data protection of citizens by creating a set of unified data security regulations for the European Union (EU).
There are two broad categories of data that the General Data Protection Regulation covers. The first category includes customers' personal data, such as their name, postal address, and IP address. Companies that store, process, or utilize this type of information must comply with GDPR regulations. Pseudonymised personal data may even be included, depending on the situation.
The second category of data is "special categories of personal data." This includes sensitive information such as religious views, sexual orientation, political leanings, and genetic or biometric data.
The GDPR has increased the protection of these two types of data by ramping up the data security measures that companies must have in place. Additional security requirements include data protection impact assessments, stricter rules involving data breach notifications, and data protection officers.
Learn more about the GDPR's specific requirements in our blog > >
Why was the GDPR created?
Technology has been outpacing legislation for decades. The GDPR is a comprehensive overhaul to Europe's data protection legislation that seeks to protect the personal information of citizens of the European Union.
Keeping big data in mind, the GDPR recognizes that companies keep records on their customers. This means there are countless companies out there that have the private information of EU citizens.
Add this to the fact that the size and number of data breaches has been increasing in recent years. Affected companies include Yahoo, Equifax, Anthem...the list goes on. The amount of personal information that has been hacked over the past decade is staggering.
The GDPR seeks to strengthen the protection of citizens' personal information and data. Through the GDPR, companies are required to disclose how they are using customer data, utilize customer data the way they report using it, and prove their compliance if called upon.
Discover 3 steps to identify and protect sensitive data for the GDPR > >
Companies with more than 250 employees must document why they are collecting customer information, where and how long they hold this data, and what data protection measures they have guarding their customers' data.
Companies with more than 250 employees may have less stringent requirements, depending on their exact services and situation.
Additionally, the GDPR requires businesses to receive consent from individuals before collecting and saving their information. They also must provide data subjects with a copy of their data on file, if requested.
UK Information Commissioner Elizabeth Denham said GDPR, "is an evolution in data protection, not a total revolution. It demands more of organizations in terms of accountability for their use of personal data."
Where will the GDPR take effect?
These data security regulations were passed as a comprehensive reform to cover the entire European Union. However, it is important to remember that the GDPR does not apply exclusively to companies whose geographical location is within the EU.
Rather, it applies to all companies who contain the information of EU citizens. If your company is located in the United States, Canada, or any other country and you sell or market to EU citizens, you must become GDPR compliant.
The GDPR will continue to apply to companies with the personal information of citizens in the United Kingdom, despite the UK's decision to exit the European Union. There may be small alterations to the General Data Protection Regulation in the UK, but the majority of GDPR legislation is expected to be retained.
Who does the GDPR apply to?
If your company fell under the Data Protection Act of 1998 (DPA), then you likely fall under GDPR's umbrella. The GDPR does, however, create new rights for customers regarding the information that companies store about them. it is therefore possible that your business must comply with the new General Data Protection Regulation even if it does not classify under DPA.
Furthermore, every organization that is considered a 'controller' or 'processor' of the personal data of EU citizens must become GDPR compliant. For instance, cloud companies who do not control the information of EU citizens but who do process that data for their clients, must meet GDPR standards.
In summary, any company in the world who controls or processes personal information of EU citizens is subject to GDPR regulations. If you have the information of EU residents, you must protect this information according to GDPR standards.
In fact, Ovum released a report showing that 52 percent of U.S. businesses think the GDPR will result in their company being fined, while 2 in 3 U.S. businesses are expecting the GDPR to change their European business strategy.
Unsure if becoming GDPR compliant is worth the cost? We explore that issue in our next GDPR blog > >
When must I be GDPR compliant?
While the European General Data Protection Regulation was published in the spring of 2016, it will not take effect until May 25th, 2018. Pending that date, businesses have time to adjust their policies to ensure compliance.
For companies who are not compliant by this deadline, there is the possibility of hefty fines. Companies can be fined for processing customer data incorrectly and in the case of a security breach, among other reasons.
The maximum fines are set at 4 percent of an organization's annual global turnover or 20 million euros, whichever is greater. This translates to approximately 23 million U.S. dollars. These fines can apply to both the controllers and processors of the relevant data.
Denham emphasizes that, despite the strict penalties, the GDPR "is not about fines. It's about putting the consumer and citizen first."
