Today is the day…doing business in the EU? You need to be compliant with GDPR.
The General Data Protection Regulations (GDPR) have made headlines for some time now and the deadline for compliance is fast approaching. Many have wondered why these regulations are so important and whether they will be affected. If your business is located in the United States or Canada, why do you need to be concerned?
What are the General Data Protection Regulations (GDPR)
The GDPR are European Union Data Protection Regulations designed to protect the personal data of consumers in Europe. The regulations have put in place various measures to ensure that personal data is well protected from hackers. In this age where the cases of hacking and cyber-crimes are on the rise, these measures are crucial. The new regulations will come into effect on 25th May, 2018.
These regulations govern various aspects of data handling. They govern methods of handling data collection, data storage, data processing and data destruction. These regulations apply even when there are no financial implications in the transaction. Many organizations will be affected including companies that monitor the behavior of EU residents. They also cover anyone in the world who does business with a company in Europe. This includes many Canadian and American companies. If your business buys, sells or transacts business with a European company, then you must adhere to the provisions of the GDPR.
What happens in the case of non-compliance?
The GDPR requires that all companies that handle or deal with personal data belonging to European Union citizens comply with the regulations. Companies that fail to comply with these regulations will receive penalties and fines. The penalty imposed is calculated based on the company’s global annual turnover of the preceding financial year. It is set at 4% of the global annual turnover of the company or €20 million whichever is greater for non-compliance. Companies that are found guilty of less serious breaches of the regulations are faced with a penalty of 2% of the company’s global annual turnover or €10 million, whichever is greater.
How do these regulations affect United States based companies?
The GDPR rules apply to all companies that deal with data affecting or belonging to EU citizens. This means that people who own data processing companies with a global outreach are affected by the regulations. As has been noted, simply collecting data, even before financial agreements are reached puts the company within the purview of these Regulations. The GDPR also affects companies that deal in surveillance and monitoring of behavior, so long as the data collected belongs to a citizen of the EU.
How to comply
Knowing that the GDPR applies to your company and that the penalties for non-compliance or for breach are dire, it is important that all companies affected by these regulations take steps to ensure compliance before the May 25th deadline. There are various ways of complying with these regulations including:
Conduct an audit of your company
This enables the owners of the company to decide exactly which steps to take to comply with the regulations. The questions that you need to ask yourself while conducting this audit include; how is your data collected, where do you store your data, why do you collect that particular kind of data and when you are done with the data, how is it destroyed?
Audit your data service providers
You need to be sure that your service providers are GDPR compliant. This will ensure that the services that they provide to your company adhere to the provisions of the regulations.
Be sure that you understand new regulations
One particular regulation that may differ from general data protection regulations is the right to be forgotten. This basically means that citizens of the European Union reserve the right to request that their data be deleted from computer servers. EU citizens also reserve the right to have their data kept in a particular format and to have it transferred to another company at their request.
Determine the data handler category in which you fall
The GDPR categorizes data in two distinct categories:
- Data handler- defined as a company that processes personal data on behalf of a data controller
- Data controller – the person with authority over the collected data
The controller decides which data should be collected, in what format the data should be collected, how the data is to be stored and used, and how it is to be destroyed. The GDPR stipulates different regulations for various categories of data handlers. Knowing the category in which you fall will thus enable you to know which regulations are applicable to you.
If you have not read the General Data Protection Regulations, it’s important to do so as soon as possible. As you can see, the requirements for adherence are demanding and the cost of non-compliance is quite hefty. It’s vital for every company that does business in Europe to know and understand these regulations. European authorities have stated that they will impose stiff penalties to make an example of companies who do not comply.