By now you are no doubt aware of the EU’s General Data Protection Regulation which has introduced the most drastic data security changes seen in decades.
The new regulation that began on May 25, 2018, not only affects European companies; it extends across the globe.
If your company markets any services to EU citizens, whether you are located in the EU or not, the new GDPR laws will drastically affect your business.
The fines for not complying with the requirements are large; this is not something any business owner can afford to ignore.
Requirements of the GDPR are extensive – totaling 91 articles and 11 chapters. The following listed articles are the ones most likely to directly affect your business.
Articles 17 & 18
Articles 17 & 18 give your data subjects more authority over their personal information.
Users may now transfer their own data to other service providers, known as the “right to portability”. The consumer may also impose their “right to erasure” meaning they can request that their personal data be expunged.
Articles 23 & 30
Articles 23 & 30 deem that all companies must provide “reasonable data protection” in order to protect a consumer’s privacy and their personal information.
Articles 31 & 32
Articles 31 & 32 require a business to inform SAs (Supervisor Authority) of a single data breach within 72 hours.
If the breach involves information that put the subject at high risk then the consumer must be notified at the quickest rate possible.
Articles 33 & 33A
Articles 33 & 33A make it mandatory for a business to perform Data Protection Impact Assessments in order to recognize any risks to a subject’s data and then to resolve any found issues accordingly.
Articles 35, 36 & 37
Articles 35, 36 & 37 mandate that any business that uses data regarding a consumer’s ethnicity, race, religion and so forth must hire a data protection officer to advise their company.
Be aware that Articles 36 & 37 could potentially affect a company merely gathering information about their employees as part of the hiring process.
Article 45 dictates that the GDPR applies to all companies that gather EU resident’s data regardless of where they are centrally based.
Article 79 describes the penalties for not following the GDPR, and fines can be as high as 4% of a business’s annual earnings!
With the 2018 GDPR comes a major shift in power.
SA’s can now issue audits, deadlines, and warnings to a company. They can also require data to be erased and issue substantial fines. It is critical that all businesses are in compliance with the current GDPR in order to avoid any penalties down the line.