What Your Business Should Know about GDPR
There is no shortage of rules and regulations to observe when it comes to data protection. Businesses that want to stay on the right side of the law (and their customers) must comply with federal, state, and local privacy laws, as well as any applicable industry regulations geared toward protecting specific confidential information (such as HIPAA and FACTA for medical and financial fields).
Keep in mind, however, that businesses interested in operating on an international scale, or working with international partners, may also have to comply with digital security laws in place overseas. If you operate in the European Union (EU), or you’re working with companies there, you could soon be on the hook to meet new obligations. What is the GDPR and what do you need to know about it if you conduct business in the EU?
What is the GDPR?
The General Data Protection Regulation, or GDPR, is new legislation concerning the safety and security of confidential data for EU residents. It’s unique in that it applies not only to EU companies, but also external businesses operating in the EU, including businesses that have no physical presence in EU countries.
It includes any business that collects, uses, or discloses personal data of EU citizens. In other words, this legislation could be applied to businesses that operate online operations available to EU residents, or perhaps even businesses that partner with EU companies. The main goal of new regulations spelled out in the GDPR is to protect EU residents from common issues like fraud and identity theft by requiring businesses to follow strict standards related to security for personal records and confidential data.
What Does the GDPR Cover?
The GDPR, which goes into effect in May 2018, covers both business obligations and potential threats to EU residents. Businesses are obligated to obtain consent to process data; to notify affected individuals within 72 hours in the event of data breach; to erase information that is no longer needed; and in some cases, to appoint a Data Protection Officer familiar with data protection laws and procedures.
This is all intended to protect EU residents from potentially harmful activities like secrecy about how data is being used; disclosure of sensitive information (race, religion, gender, and so on); evaluation of personal habits (health, work performance, economic habits, etc.); discrimination and identity fraud; and the processing of data specific to vulnerable people or populations.
Since this law applies to any and all companies operating in the EU (including U.S. companies), there could be serious consequences attached to non-compliance. Companies that fail to comply with GDPR regulations could face fines ranging from about $12,000 (USD) up to $24 million, depending on the severity of the infraction.
Under the GDPR, authorities claim the right to review privacy policies and procedures at any time, which means companies operating in the EU must have suitable policies and procedures in place when the GDPR takes effect. Failing to comply with these new regulations could not only entail fines, but it could jeopardize a company’s ability to continue operating in the EU, so it’s best to take steps to come in line with the new regulations spelled out in the GDPR.