In December of 2015, one of the largest and most far-reaching data privacy laws in the world was officially agreed upon and released to the public. The European Union's General Data Protection Regulation (GDPR) applies to all businesses handling consumer data of EU citizens, and will become enforceable in 2018. Here's what you need to know about it, and what you can do now to prepare.
What is the GDPR?
The GDPR was first proposed in 2012 as a way to create consistent data privacy laws in the EU member states. The legislation will replace the 1995 Data Protection Directive, which was a set of recommendations to guide EU countries to create their own laws around data privacy.
- Anyone involved in processing EU consumer data, including third-party entities involved in processing data to provide a particular service, can be held liable for a breach.
- When an individual no longer wants his or her data to be processed by a company, the data must be deleted, "provided that there are no legitimate grounds for retaining it."
- Companies must appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers (small and midsize enterprises are exempt if data processing is not their core business activity).
- Companies and organizations must notify the relevant national supervisory authority of serious data breaches as soon as possible.
- Parental consent is required for children under a certain age to use social media (a specific age within a group ranging from ages 13 to 16 will be set by individual countries).
- There will be a single supervisory authority for data protection complaints aimed at streamlining compliance for businesses.
- Individuals have a right to data portability to enable them to more easily transfer their personal data between services.
How will it affect small businesses?
At first glance, it may seem that the GDPR only applies to large, global companies who conduct a lot of business overseas. However, small and midsize businesses that have any ongoing connection to European vendors or consumers are at risk of violating this law.
"Any company of any size that conducts business in Europe will be impacted by the change, and will need to understand their responsibilities in complying with the regulations," said Daren Glenister, field chief technology officer of Intralinks, an enterprise collaboration tech company. "[Companies] will need to put procedures and systems in place to ensure [European] citizen data resides in the country of record, and will need to validate how any personal data is collected, stored, processed and shared."
Failure to comply with the GDPR comes with a pretty hefty penalty — even if noncompliance is accidental, Glenister said. You could be fined anywhere from $1.7 million or up to 4 percent of your global revenue, depending on where the data violations occurred.
"The rules are changing for each country, therefore you will need to understand the rules for each country you do business in," Glenister told Business News Daily. "The fines are levied based on each country's specific regulations, which further opens up businesses to significant, repeated risks, depending on how many countries you transact with."
What can you do to prepare?
If your business currently does or is thinking about doing business in Europe, Glenister shared three important steps to help you stay compliant with the GDPR.
Educate yourself and your team. Consult with a legal expert to better understand the data privacy regulations and how they might impact your business. Then, educate your employees regarding the responsibilities they have when dealing with personally identifiable or sensitive personal information of employees, customers, partners and contractors. Midsize businesses may want to consider appointing a compliance officer, who would be responsible for reviewing the constant changes in data privacy laws, Glenister said.
Categorize your data. Determine which of your business's data is impacted by regulation guidelines. For example, EU citizen data could be in contracts, HR documents, financial records, etc. Look at where this data is stored, how it is processed and who has access to it. From there, you can set companywide policies around how this high-risk data should be handled.
Review your contracts. Your third-party vendors should have clear policies that adhere to the regulations. Just because you sign a contract in one country does not mean your data will be stored or processed in that country, Glenister said. As with your own internal data management, understand how your vendors will store, process and access your business's data. In addition, ask what procedures your vendor has in place to meet regulations and how that company will address violations.
Even though the GDPR won't go into effect right away, Glenister urged business owners not to delay in making any necessary changes to comply with the law.
"Don't wait," he said. "It is critical that businesses start to understand the impact of the regulations now, before they go into effect, as remediation may take a significant investment of time and money to meet compliance. The more you can invest in data security to ensure that you are doing all the right things to keep personal data safe, the better."