5 Things Partners Need To Know About New GDPR Regulations
Getting Ready For GDPR
While we're still about a year away from General Data Protection Regulation (GDPR) regulations taking effect – the time is now for partners to start upgrading their clients in preparations for the new standards. Put in place by the European Union, the GDPR puts significant requirements on companies on how they handle customer data, with the goal of greater data privacy and protections for consumers. For partners, that means a responsibility to helping their clients get up to speed with understanding and complying with the new regulations. Here are the basics of what partners need to know when it comes to GDPR regulations.
What is the goal?
The goal of the GDPR is to standardize data protection regulations across the EU, with a single set of rules across all EU member states on how companies collect, use and share data from citizens. The ultimate goal is to provide greater data privacy and protections for EU citizens.
Who is impacted?
The regulations apply to companies based and with offices located in the European Union. That includes both companies that collect data on EU residents and those that process data on behalf of those companies (such as CSPs). However, due to what the GDPR calls "extraterritoriality," it will also apply to companies that collect or process data on EU citizens, even if they are not physically located in the EU. The EU defines personal data as "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
What areas need to be updated to comply?
There are multiple areas of compliance that companies will need to make sure they meet for GDPR. When it comes to data collection, companies will need to review privacy policies and notices, as the GDPR sets some standards around consent for data collection and individual rights. The GDPR also puts in place accountability measures, including requirements for Privacy Impact Assessments, Privacy by Design and Default requirements, data transfer requirements, and new rules requiring breach reporting within 72 hours. These conditions may mean companies need to update their data breach plans, audit their data collection and transfers, and set up a framework for accountability. Finally, some companies will also need to appoint a Data Protection Officer, a new position to monitor GDPR compliance that businesses will have to appoint if they are 1) public authorities; 2) if they process data as a core component of their business, or if they process data on a large scale; or 3) if they process data that is of a sensitive personal nature.
What are the penalties?
The penalties are steep if companies are found in non-compliance with the regulation. Penalties can range from a written warning, to mandated regular data protection audits, to financial penalties of up to 2 percent or 4 percent of a company's yearly revenues (or 10 million euros and 20 million euros, respectively, if those amounts are greater). The penalties are tiered based on what measure companies failed to meet.
What are some of the critical deadlines?
The GDPR was voted into effect in April 2016 and officially was adopted around that time. However, companies were given a two-year transition period to get up to speed with the new regulation, which goes into effect beginning May 25, 2018.