The General Data Protection Regulation (GDPR) gives EU citizens better control over their personal data and sets rules for the collection and handling of personal data. Even in the US, we are subject GDPR when data is collected on Europeans.
Why should I care?
So why should you care if you’re based here in the United States. Well, the GDPR applies to all organizations worldwide, not just those in Europe. So, although you’re here in the United States you still must comply. If you don’t they will come after you here, and your company could potentially be subject to massive fines. Also, just one complaint can trigger an investigation. In fact, the governing authorities in Europe can pursue action against you even without a complaint based simply on observation of your web presence, available disclaimers and other indicators of compliance, or noncompliance.
So, why would the enforcement agencies, known as Data Protection Authorities (or DPAs), bother you. Well, the bottom line is cash! Each country in the European Union has one (or more) DPAs. And, in most cases, these enforcement agencies are self?funded through fines and fees. So, they have a lot of incentive to find and prosecute non?compliant organizations.
Non?compliance can also be very costly. Penalties vary, but can be levied up to the greater of ten million euros or two percent of global gross sales for violations of
record?keeping, security, breach notification, and privacy impact assessment obligations. These penalties may be doubled to twenty million euros or four percent of global gross sales, for violations related to legal justification for processing, lack of consent, data subject rights and cross?border data transfers. So, if there’s even a possibility that your organization may obtain and store information related to EU citizens, it’s incumbent on you to ensure you’re in compliance.
The GDPR is fairly complex, and it’s important for you to understand definitions of some key items included in the Regulation. Personal Data per the GDPR is defined as any information relating to an identified or identifiable person. Fundamentally, if there’s a way a piece of data can be associated with a person, the GDPR applies. The figure below shows some more GDPR definitions.
What to do??
So what do organizations need to do? Basically, at the highest level, in order for organizations to comply with GDPR they must protect subjects’ rights, only use data for legitimate purposes, and establish accountability & compliance procedures.
The figure below lists the general steps you need to take in protecting personal data.
As you might imagine, there is a lot more to this subject, which is explained in much greater detail in our webinar on GDPR.