Have you heard of the GDPR?
That's right, if you have a company that collects data on EU citizens for any reason whether it's hotel reservations, medical offices, or marketing and you aren't abiding by their rules, you could get fined as much as €20 million.
Here's what you need to know.
With the growth of the internet has come an increased need for privacy and security. New ways of collecting and using data are developed every day, and along with each development comes a renewed need to safeguard personal information.
The GDPR, or General Data Protection Regulation, is designed to bring all data protection laws in Europe into harmony while giving EU citizens power over how and where their data is used and stored as well as protection from theft.
This law will take effect in May of 2018, and 73% of privacy professionals believe that it is the single most important advancement in privacy history in the last 20 years. The law breaks data into two categories: personal data and sensitive personal data. Personal data includes things like:
- Location data
- Identification numbers
- IP address
- Cookie data
- RFID Tags
While sensitive personal data includes things like:
- Health data
- Genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Over 80% of data privacy professionals believe the GDPR will have a positive impact on personal privacy, yet most businesses are still unprepared for the law to go into effect. In the United States, 92% of businesses rate preparing for the implementation of the GDPR as a top priority, but while 77% of U.S. businesses have begun preparing only 6% say they are currently ready.
Nearly 70% of U.S. businesses will need to spend between $1-10 million to prepare for the GDPR, and 9% will have to spend more than $10 million preparing for the GDPR.
Many companies will need to hire a data protection officer in order to be in compliance with the GDPR, which means 28,000 data protection office positions will need to be filled by qualified professionals.
Two-thirds of businesses will need to change the way they do business in Europe, and 85% say that doing business with the EU will become more difficult after the GDPR is implemented. Over half of companies believe they will be fined at some point for non-compliance with the rules of the GDPR.
An ounce of prevention is worth a pound of cure, as the old saying goes. So what can your company do to ensure it is ready to take on the challenges of the GDPR next year?
- Hire a data protection officer or appoint one from within
- Create a data protection plan for EU citizens' data
- Conduct a risk assessment and know where EU citizen data is being stored and identify risks to that data
- Implement security measures that comply with the GDPR
- Assess policies and procedures on a regular basis
Your company is required to have a data protection officer if it meets ANY of the following criteria:
- You process or store large amounts of EU citizen data
- You process or store special personal data
- You regularly monitor data subjects
- You are a public authority
The GDPR will be a landmark law in preventing abuse of EU citizens' personal data. Among the issues covered by the law, EU citizens will have the right to know how their data is being used and stored, they can take their data with them at any point, and they have the right to be forgotten and have their data erased at will.
Companies that collect data will be required to assess threats, report any breaches within a timely manner, and take reasonable precautions to safeguard data.
No matter where you are located in the world, there is a chance that the GDPR will affect your business. Don't assume you can't get fined if you aren't located in the European Union. Learn more about the GDPR from this infographic courtesy of Digital Guardian.
Is your company taking the necessary steps to prepare for this far-reaching privacy law to go into effect?