In the digital age, data privacy is at the forefront of a worldwide conversation about the future. To that end, the General Data Protection Regulation (GDPR) has been proposed by the European Commission. Formally known as Regulation (EU) 2016/679, it was approved in April of 2016 and fully implemented by the 25th of May 2018.
Although it doesn’t require individual legislation, it is a serious regulation; stiff penalties have been set for non-compliance (4-5% of global turnover or €20 million).
The GDPR is not simply just for the EU; it is for any company worldwide that handles and/or exports personal data gathered from EU citizens.
The GDPR focuses on the export of personal data outside the European Union (EU), at the same time strengthening EU citizen’s data protection. In plain terms, with the GDPR, EU citizens will have as much control as possible over their personal data.
For the purposes of the regulation, the European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
In addition, the definition of data consent has been tightened; parental consent will be required for minors; and citizens have the “right to erasure,” meaning anyone can demand that their data is entirely erased from a particular entity. This works both ways – whether a person wants to delete their Facebook account out of pique, or no longer have a moment of poor judgement haunt them on Google forever. There’s also a citizen’s right to know what, where, and why their data is being stored, to which the company must answer via electronic copies of that data.
It’s a broad scope to say the least, which means that companies will need to check every aspect of their data collection and storage across every process of their business to ensure compliance. And they need to do so safely, consistently, and transparently.
Of course, companies must achieve compliance in the first place. It can involve a complete restructuring of a company’s digital infrastructure.
First, a company must determine if it stores data of EU citizens. If so, it has to identify the processing, storage and transmittal of that data. Then, it needs to obtain and implement the tools and design necessary to ensure full compliance, followed by an audit.
If your company will be affected by the GDPR compliance deadline, then you can’t waste any time. Although it won’t impact the way you conduct your daily business, it is a project that will impact your company’s digital future.
In addition, there’s the crucial decision of appointing a Data Protection Officer for the GDPR, who will have a specific set of tasks and duties that are integral to compliance. While it can be one of your employees, there are strict protocols in place regarding conflict of interest, reportage and more. And they must be followed or there will be fines to face.
100% Security can handle every aspect of your company’s GDPR compliance. We have the tools and the team to identify, design, and implement the many aspects of this important regulation.