You don’t need to be based in the European Union to be subject to the new Global Data Protection Regulation (GDPR) scheduled to take effect in May of 2018. These broad standards for compliance protect the data of any EU citizen regardless of where the data resides. You will want to know how to avoid fines as high as 4% of your total global revenue. In fact, reading this article may help you demonstrate compliance by educating yourself. Even if your company may not need to comply, GDPR enforces best practices in data protection, so read on.
What is the Global Data Protection Regulation?
General Data Protection Regulation (GDPR) provides a uniform standard for data protection for individuals of the European Union (EU). Proposed by the European Commission, it is expected to go into effect in May of 2018. Not only does it protect privacy information for EU residents, but it also addresses the export of personal data outside the EU.
Does My Business Need to Comply?
If you store email addresses and other personal information of EU residents, you might be subject to GDPR. In our ever-shrinking global economy, it is not uncommon to have EU individuals’ privacy information. The GDPR standard includes health information, marketing databases, and commercial information, among others. For example, you may have personal information in your email databases; companies that sell via e-commerce may also have personal information subject to GDPR.
How to Comply with GDPR
Start by understanding the compliance requirements. Taking steps to educate yourself not only helps you comply, it may also lessen fines if you are in breach. One way to demonstrate compliance is keeping applications and operating systems up to date by using security patches and conducting regular backups. Another way to show compliance is to develop a data register to classify databases containing personal information. Both practices will help you demonstrate compliance in the event of a data breach. European Union individuals (i.e., Data Subjects) also have the right to erasure. In addition to opt-outs, companies can be asked to remove personal data from their systems if there is no legal or commercial purpose for keeping the data.
GDPR also covers privacy information used by marketers by requiring clear consent for database marketing. This includes opt-in requirements for email marketing purposes. Exercising permission marketing and cleaning house on old lists or data that is no longer in use is advised to minimize risks.
As always, assess your risks and focus on the areas most likely to create exposure. When the law is in effect it is expected you will have 72 hours of breach identification to notify authorities. The more information you can provide helps demonstrate compliance and will decrease your exposure to fines.
Can the EU Enforce GDPR?
Companies incorporated within the EU or having physical presence there will face pressure to pay fines. Larger companies outside the EU may face trade restrictions and other sanctions if they fail to comply. The practicalities of enforcement on small businesses without physical presence in the EU are uncertain. Regardless, GDPR sets a floor for adhering to best practices for data protection. As a result, compliance helps avoid fines, legal fees, loss of reputation and other losses due to a data breach.
For more information on the Global Data Protection Regulations visit: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/. If you are not sure if you are adhering to best practices in data protection, contact your technology advisor to see how you can avoid the unnecessary distraction of a data breach.