After four years of work, the EU, who previously relied on the Data Protection Directive for security, has restored its data protection initiatives and released the General Data Protection Regulation to combat the threats posed by modern-day technologies and capabilities.
What You Need to Know About GDPR Regulations
The May 25 deadline has already passed, but your goal should not be compliance by the deadline. Your goal should be ongoing compliance. Here’s the answer to some questions you may (or may not) have already asked yourself.
“Am I off the hook?” Not quite, if you:
- Have a business presence in an EU country
- Have a business presence outside an EU country, but you collect and process the personal data of EU citizens
- Your company consists of more than 250 employees
- Your company has fewer than 250 employees, but you process sensitive personal data
“What are the consequences for noncompliance?” If you meet any of the criteria above, it’s critical that you begin working toward compliance. Otherwise, you may face the following consequences:
- Failure to Comply / Technical Measures = Up to an amount that is the GREATER of €10
million or 2% of global annual turnover (revenue) from the prior year.
- Data Breach / Key Provisions = Up to the GREATER of €20 million or 4% of global annual
turnover from the prior year.
“What do I need to do?” Here are 6 steps to start with from the Raising the Bar on Privacy Protections section of the Arrow GDPR packet:
- Discovery/awareness: What do you have, where did it come from,
and with whom is it shared?
- Create a data protection plan: Many already have one in place,
but you’ll need to review and update yours.
- Assign/hire a Data Protection Officer (if you need one): GDPR
does not say this must be an explicit position, but you’ll want to avoid
conflicts of interest. May be virtual or full-time.
- Create an accountability framework: This may be a requirement
for you under GDPR. If this applies to you, you must be able to prove
policies and procedures comply with defined protection principles.
You must also provide DPO contact info.
- Review and update all policies: This includes retention policies,
privacy policies, and personal data notifications. These should be
stated in plain language.
- Perform due diligence of third-party vendors: Make sure they
understand GDPR compliance, are abiding by it, and are not violating
cross-border data transfer rules.
This is by no means an exhaustive source of the information present in the GDPR requirements. To be in the know, download the Arrow GDPR packet.
Last modified: May 3, 2019