Lately there has been a lot of talk about “GDPR.” If you’re a company who does business in Europe, here is what you need to know about General Data Protection Regulation.
What Is GDPR?
It was adopted in April 2016 by the European Parliament to address the export of personal data outside the European Union. The primary goal is to give citizens more control over how companies use their personal data, and aims to penalize organizations that fail to comply with the rules. It also plans to align privacy laws across all EU member states.
Under the GDPR, companies will not be allowed to collect and use personal information, including a person’s name, email address, telephone number, cookie strings, IP addresses, etc., without the person’s consent. Firms must also report any data breaches to authorities within 72 hours.
For non-compliance, companies with be penalized and fined. Penalties and fines are calculated based on the company’s global annual turnover of the preceding financial year, and can reach up to 4% or 20 million euros, whichever is greater.
Timeframe Of GDPR
Now that you have some understanding on what GDPR is, you’re probably wondering when the rules and regulations of will take effect. The GDPR will apply in all EU member states, and will go into full force on May 25, 2018; it’s right around the corner.
Who Does GDPR Affect?
All EU organizations that collect, store or process the personal data of individuals residing in the EU will be affected by the GDPR, even if they’re not EU citizens. Also, organizations based outside the EU that offer goods or services to EU residents, monitor their behavior, or process their personal data will be subject to it. In this way, it provides protection to EU citizens, no matter where their data travels.
Businesses of all sizes are affected, including small businesses and large enterprises, and no one is exempt. So, if you’re a U.S.-based company, especially one with a strong Internet presence, and you’re not sure if the GDPR applies to you, you should definitely take some time to assess whether your business activity falls within the territorial scope of the GDPR. Chances are good it probably does.
Preparation For GDPR Compliance
Here are a few things you can do now to ensure your business complies with all the rules of the GDPR:
- Educate your staff about GDPR. Not only should you understand the rules surrounding it, but your employees should have a full understanding of the risks, as well. Keeping your whole team informed will ensure that the proper procedure is followed.
- Make sure your business complies with the rights of individuals as defined under GDPR. There are eight existing rights that are clearly defined for individuals, including the right to object, right not to be subjected to solely automated processes, right to access, and the right to be informed. Make sure your business complies with all the eight individuals rights defined under GDPR.
- Prepare for data breaches. You should also be prepared with a strategy for if and when your company has a data breach. Check out the ICO website for more guidance on how you can better prepare for a data breach.
How Commercient Is Preparing For The GDPR
In response to the GDPR, Commercient has strengthened its internal policies and procedures to ensure its obligations under the new set of data subject rights. We have taken a stance to safeguard an individual’s data by ensuring enhanced security for individual data at rest, plus encrypted data in transit.
Additionally, we conduct routine data audits using data processing logs to ensure that the data we process is secure. We’ve also developed systems to prevent data breaches, and are prepared to notify a Controller of said information of a breach within 72 hours. For more details and to get more information on how we are preparing for it, check out our GDPR compliance page.