GDPR or the General Data Protection Regulation takes effect next May. It’s an EU regulation. However, everyone must comply with it or else suffer heavy financial penalties and risk criminal prosecution.
Simply put, the GDPR requires strong protection of personal privacy of people in the EU. Violations can lead to crippling fines, even for non-EU businesses.
You can read the 88-page document online. GDPR replaces the 1995 EU data protection directive. It aims to give EU citizens and residents (and even visitors) control of their personal data. It also simplifies the regulatory requirements for businesses.
We’re a little over halfway through the transition. The EU adopted GDPR in April 2016. It takes effect on May 25, 2018.
As for the penalties, you might get off with a written warning for a first and non-intentional violation. But the EU might impose an enormous fine. It could be up to 20 million Euro or 4 % of the annual worldwide turnover (basically, revenue), whichever is greater.
It’s not just a financial risk, criminal prosecution may apply. Business reputation is also at risk. Organisations must now notify any breaches within 72 hours.
There’s motivation to be compliant!
Contrary to the assumptions of many UK businesses, they must comply with GDPR.
For one thing, there is a ten-month overlap between the start of GDPR and the UK departure from the EU.
Then, after Brexit, UK businesses will still handle lots of EU personal data. Many EU residents live in the UK. Plus, many UK companies do business with people on the Continent.
Information Age found that one in four UK businesses have cancelled GDPR preparations because they misunderstand Brexit.
The fines are harsher than the UK Data Protection Act, a company that was fined 0.02 % of their annual turnover under the DPA would pay 4 % under GDPR.
The GDPR applies to US-based companies.
If a US-based company offers goods or services to EU individuals, trades with EU Suppliers or Partners has EU subsidiaries or if it monitors the EU-based behaviour of individuals, or if it processes data about EU individuals, that company must be compliant.
This includes some situations you might not expect. Let’s say that a US citizen accesses a US-based website during a visit to France. If that website tracks their behaviour, the company must be compliant.
GDPR requires a high duty of care.
Let’s say you collect data and have it processed elsewhere. You must carefully select that service provider. And, in turn, any subcontractor. The original collector is held responsible.
The EU just hit Google with a $2.7 billion fine for antitrust violations.
Learning Tree recently created a half-day GDPR course to ensure you’re ready and informed about the changes and what you’re responsible for.