On Friday, May 25, 2018, the EU General Data Protection Regulation (GDPR) took effect in all member states of the European Union. With the GDPR now a reality, it’s important to know how it will affect organizations around the globe, even if they are not located in the EU. What are the most essential things to know about this game-changing regulation? Let’s take a look at the rules that will affect most companies around the world.
1. What is GDPR and Does it Apply to You?
GDPR is the European Union’s new regulatory framework governing the collection, use, storage and destruction of personal data of EU data subjects. Compliance was required, and the risks of non-compliance include heavy penalties. The fines are up to 4 percent of global annual revenues or 20 million euros, whichever is greater. It applies to any organization that is a processor or controller (the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data) of EU residents’ personal data, including both for-profit and nonprofit organizations.
Although the GDPR is a standard for the European Union, it actually applies far outside of its borders. If your business has any customers, suppliers or partners that are inside the EU, your business is affected. Do not automatically think that you are exempt from fees and fines just because your headquarters resides outside of the EU. EU regulators are working with regulators around the world. If an American company chooses to treat the GDPR lightly, it will be American regulators at his door, not European ones.
2. Controllers and Processors
GDPR defines two major kinds of data-driven organizations: controllers and processors. Controllers make decisions about data collection and its use. Processors are directly involved in collecting and transferring data. A controller and a processor may be the same company, or they may be two different companies. If your company fits either of these descriptions, you must follow GDPR.
3. The Final Definition of Personal Data
So-called “personal data” is the basis of what GDPR is trying to protect. This term has been only loosely defined until now. The definition has also been expanded to include data on health, culture and economics. IP addresses are also considered personal data. What does this mean? Basically, the regulation has jurisdiction over almost any type of data that can be traced back to an individual. This gives companies less leeway to dodge fines through shifty practices of data induction.
4. Lawful Use of Data
The way data can be used is now also precisely defined. First of all, it must be collected with a purpose in mind. Companies must now obtain direct permission from individuals to process data, limiting the use of auto forms. At any time, individuals may open a query to the data which a controller has on file for them. It is up to controllers and processors to ensure that all requests for data deletion are followed. Companies may not keep data beyond the original purpose for which it was intended.
5. Data Breaches
If a company has its data breached, it has another new problem to worry about. That company has 72 hours to inform authorities of the breach, or it faces huge fines.
6. Most IT Pros Are Not Ready
IT professionals and digital marketers outside of the EU may not be ready for what the GDPR implies for online business. Companies that outsource these disciplines may find themselves on the business end of a huge fine if they do not check to see if those consultants are familiar with the new regulations.
7. The Deadline is Here
In some cases, such as in Canada with its recent Anti Spam Law, the government pushed back the date for compliance with the new regulation. This is not the case with GDPR. Compliance is required as of May 25, 2018. Ignorance is no longer an excuse. If you are collecting data improperly or using it in malicious ways, regulators are now fully empowered to go after your business!
As GDPR sinks into the world business landscape, its regulations will likely become more commonplace around the world. In the meantime, companies planning to do business with any entity inside the EU should protect themselves by becoming familiar with this hugely important regulation.
Given the expanded reach and complexity of GDPR, almost any company or service provider that is doing business with EU data subjects will now fall within its purview. If you have any questions about GDPR, please contact us and a member of our team will be happy to assist you.
PS LIGHTWAVE is the consultative data-connectivity provider for public and private entities in the Greater Houston area. Through our high-quality infrastructure, innovative technology and superior level of support, we deliver not only the best in connectivity and reliability but in scalability and redundancy. You’ll also appreciate that the PS in our name stands for “Pure Speed.” We fully understand that technology is a moving target, and we understand the people and infrastructure of the Greater Houston area. We are nimble, flexible and responsive, and we embrace leading-edge technologies that improve the customer experience. We invite you to learn more. Visit our website or contact us. Concerned about connectivity? Think PS LIGHTWAVE.