The EU’s incoming General Data Protection Regulation will have far-reaching effects.
Quickly, do you know what the GDPR is? The General Data Protection Regulation goes into effect on May 25, 2018 for all companies based out of the EU and for all companies that do business in the EU.
That’s right, even if you’re not in Europe if your business has any kind of footprint there you’re still obligated to follow the EU’s new rule. Ignoring it risks penalties, fines and even bans. Not to mention other businesses will blacklist you rather than risking their own compliance.
Unfortunately, a great number of American companies that will be affected by this regulation seem to be unaware of it. That’s a problem because this is going to be an impactful rule when it comes into effect.
What is the GDPR?
The General Data Protection Regulation is a new set of EU guidelines for the processing, storage and management of personal information. While the entire regulation is over 80 pages, it basically boils down to this, the EU is imposing regulations and restrictions on what information can and can’t be processed and stored, as well as what notifications are required and what rights individuals have with regard to their own personal information.
At the core of the regulation is this position:
The protection of natural persons in relation to processing of personal data is a fundamental right.
The concepts and principles contained in the GDPR share the same DNA as what’s in the current Data Protection Act, so companies already in compliance with the DPA have a head start. The big difference is that the GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate accountability.
Essentially you’ll be asked to provide legal justification for the processing of personal data, then you’ll need to audit your organization to document all information flows and where that information is being stored. From there you’ll need to devise a notification system that alerts individuals when their personal information is being collected, requests consent in some cases and gives them the right to have the information deleted then, or after a set period of time.
Does that sound like a lot?
That’s why we’re starting this series on GDPR preparations. Every Wednesday for the next month or so we’ll run an article that discusses how different market segments will need to prepare for the May 25 deadline. The GDPR is incoming, we’re here to help you Hash it Out.
Hashed Out GDPR Compliance Series:
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach