If you do any business in or with a country in the European Union (EU), or hold any data of individuals within these countries, hopefully you have heard, and have prepared for the General Data Protection Regulation (GDPR). If not, you are not alone, Gartner estimates that nearly 50% of U.S. organizations are unprepared for the regulation that goes into effect on May 25, 2018.
So why would a U.S. company need to be concerned with a EU regulation? First, the term “regulation”, is more than a request, it’s a law. Think HIPPA (Health Insurance Portability and Accountability Act of 1996). Organizations in violation of GDPR can be fined up to 4% of annual global revenue, or €20 Million (USD $23.6M), whichever amount is greater.
The purpose of the new regulation is to protect EU citizens' personal data, a growing topic of concern across the globe. While this coming regulation has caused alarm across many global organizations, some experts have suggested that compliance will ultimately benefit businesses, by directing how they collect, gain consent, store and use personal data.
Some of the key requirements of GDPR include:
Most of the regulation that is achievable by following an adoption plan, and will result in modified processes and organizational structure. Article 35, for example, requires certain companies to appoint a data protection officer. Specifically, any company that processes data revealing an individual’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer. These officers act as point of contact with the Supervising Authorities.
A few of the requirements embedded in the 11 chapters and 99 articles of the regulation, however, some have specificities that are causing concern. One such provision states that upon detecting a data breach, a company should notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” For those who have experienced a data breach, this may sound near to impossible.
Regardless of how this is viewed, it in not an option for U.S. companies that have any access to EU personal data, including employees, contractors, customers, distributors or even marketing lists. The regulation goes into effect in May 2018, and with the hefty fines associated, the time to prepare is now.