If you own or work for a company that does business with anyone who is in the European Union (EU), you hopefully already know about the GDPR facts, also known as the EU General Data Protection Regulation.
In short, the GDPR overview, which has been in the works since 2012, has replaced the Data Protection Directive 95/46/EC and improved data privacy throughout the EU for all its citizens. Whether you have current and repeat transactions with the EU or you may in the future, here are ten facts you need to know about Europe’s new GDPR requirements.
1. If You Own or Operate a Business, the GDPR Regulation Applies to You
Many business owners throughout the U.S. and other countries might assume since they aren’t based in the European Union that the GDPR rules don’t apply to them. If your company processes personal data of any EU citizens, regardless of where your business is located, you are expected to follow all of the requirements of the General Data Protection Regulation.
How do you know if your company processes personal data? If you offer goods or services to customers or business in the EU, you’re dealing with personal data and must be GDPR compliant.
The GDPR greatly affects your internal communications, so it’s critical to implement a compliant platform so personal data remains secure.
2. Controllers and Processors Have Specific GDPR Regulation Responsibilities
According to Article 4 of the GDPR overview, if you are a ‘controller’ you are a person, public authority, agency, or another body that “determines the purposes and means of processing the personal data” of customers and businesses.
A ‘processor’ is in charge of processing the personal data on behalf of the controller. While the processor may seem like a “middleman,” according to the GDPR principles, there will be legal obligations on a processor to maintain records of personal data and to improve the overall security of and processing of the data.
3. You Must Appoint a Data Protection Officer
The GDPR overview requires all organizations that do large-scale processing of particular categories of data, that does widespread monitoring such as behavior tracking, or is a public authority, appoint a Data Protection Officer (DPO) to oversee the processing and follow protocol.
4. The Definition of “Personal Data” Has Changed
When dealing with business transactions, we may assume that personal data is strictly related to account or ID numbers, as well as addresses and birthdates. While this type of personal data should be kept secure, the GDPR regulations have expanded the definition of personal data.
Now, personal data will be related to “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.” Social, mental, economic, cultural, and even genetic information will now be considered personal data to be protected by GDPR requirements.
5. The Deadline for GDPR Compliance Has Passed
Once you determine whether or not the GDPR overview applies to you (remember, it will affect any company that has relations with the EU), you had until May 25, 2018 to be fully compliant. Now, if your business is not fully compliant with the new GDPR rules, you could be heavily fined by regulatory bodies.
6. There are Consequences for Non-Compliance
Anyone who isn’t GDPR compliant faces a fine which may range from 20 million euros to 4% of the company’s annual global turnover.
GDPR fines may vary depending on how data is “mishandled,” which may (but is not limited to) include the failure to report a data breach, the failure to build in privacy by design, and the unauthorized transfer of personal data. Make sure to only use GDPR compliant means of communication, including with a team app if you use one as part of your internal communication. Some popular messaging apps like WhatsApp don’t meet the requirements and can result in hefty fines.
7. Need a Clear Explanation for Collecting Personal Data
Many companies collect personal data without the user’s knowledge. Even if the individual whose data is being collected doesn’t mind, there needs to be a clear explanation of why and how the information will be used. In accordance with GDPR principles, explicit consent is also a must.
Make sure you are well-aware of what business communications tools both your own workforce and partner workforce’s use, such as a team app, to ensure it’s GDPR compliant.
8. A Breach Must be Reported Within 72 Hours
Any breach that threatens the privacy of an individual’s data must be reported within 72 hours from when the breach was first detected. If GDPR requirements determine there’s a delay in reporting, a company or organization may be fined.
9. Victims Must be Alerted to Any Risks
If a breach occurs, the company must contact the affected individuals immediately. According to GDPR principles, it’s not appropriate or “enough” to release news of a breach through a press release, on a website, or through the use of social media.
10. GDPR Compliance May Differ From One Company to the Next
GDPR compliance is likely to be quite different from one organization or company to the next. Compliance has a lot to do with a company size, the personal data that is collected via internal communications methods like a team app, as well as the goods and services offered.
The best way to ensure your company complies with GDPR regulation by May 25, 2018, is to follow a GDPR checklist; it’s not too late to prepare yourself for the changes.