In 2012, the European Union parliament acknowledged that our data-driven world is one that is all but unrecognizable to the world 20 years prior. They then embarked on a four-year campaign to draft sweeping data protection regulations to better reflect the needs of the modern digital age.
The culmination of this lengthy legislative process was the General Data Protection Regulation (GDPR), a regulation constructed to align data privacy laws across EU countries with the goal of providing improved, more secure data protection for those inside the EU. This new regulation will go into effect on May 25, 2018. And, while the GDPR tackles key data protection issues, it also means numerous new compliance measures for any entity that collects data on those inside the EU.
The GDPR will require that all businesses both in- and outside the EU that offer goods or services to or collect data on EU data subjects be compliant with the regulations. And as data knows no political borders, the GDPR impacts all businesses that possess personal information on individuals inside the EU.
GDPR Background and Forefront
The GDPR was designed to strengthen data protection for all individuals who live in one of the EU’s 28 countries and applies to companies both in- and outside of the EU. Essentially, the GDPR applies to any business that collects data on EU subjects. For example, if a person in the EU visits an American business’ website and fills out a form, that American company must be GDPR compliant.
While Switzerland and EEA countries are not included in the legislation, these countries are expected to enact laws that are closely aligned with the GDPR. More specifically, the GDPR leaves room for single EU countries to enact modifications to the regulations, spelling country-specific requirements. For example, Post-Brexit Britain will impose its own similar regulations as well. And, under the GDPR, special categories of data are outlined, meaning that these categories require further protections.
The GDPR lists a series of rights that each country and business must protect, including right to access personal information from a data controller, right to be forgotten (also known as data erasure), data portability, and privacy by design among others.
This precedent-setting departure from the EU’s 1995 directive on protecting individuals’ data casts a wide net over what constitutes personal data. The new regulation views information on a “data subject” or person as anything that can be used either directly or indirectly to identify the person. This includes information ranging from name, email address, and photos to social media posts, IP address, and medical information.
And, as virtually all businesses rely on an online presence no matter their country of origin, it is important that all businesses that operate in or deal with individuals and businesses in the EU be 100% compliant with GDPR regulation; businesses that fail to comply because of technical error may be fined up to €10 million or 2% of annual global revenue. However, if a business is found to be in noncompliance due to data subjects’ rights violations or personal data violation, they can expect to be fined up to €20 million or 4% of annual global revenue, whichever is greater. But beyond these prodigious fines, businesses are dealt a more severe blow: the risk of other companies no longer willing to do business with them, leading to a loss of revenue and reputation.
Become (and Remain) GDPR Compliant
An initial risk assessment is an important part of GDPR compliance and is integral to learning where and how businesses’ current systems, policies, and procedures meet or fall short of the GDPR’s standards. Velocity Global’s custom, individualized risk assessments provide integral knowledge that becomes the cornerstone of designing a comprehensive implementation plan that addresses all of a company’s compliance needs.
Customized Implementation Plan
Once gaps have been outlined in a company’s customized risk assessment, steps should then be taken to prepare a tailored implementation plan that addresses these gaps. These changes will focus around a business’ internal processes and systems, ensuring that all data flows in a compliant manner. While many businesses may have internal teams that can help with implementation execution, Velocity Global’s GDPR services provide assistance in any areas where a company lacks expertise or available resources.
Data Protection Officer (DPO)
A DPO is responsible for protecting a company from data breaches and reinforcing or changing policies should a breach occur. DPOs act as a company’s connection to the GDPR’s regulators and ensure the company evolves with regulation, not after it; DPOs not only help companies become compliant, but help ensure that companies remain compliant.
Let Us Help You Prepare for GDPR Compliance
The implementation of the GDPR undoubtedly means scores of questions from companies across the globe. Let the GDPR compliance experts at Velocity Global assist you with your regulatory needs. From in-house risk assessments to broad, large-scale compliance needs, we can provide you with GDPR regulatory services from start to finish. Reach out to us today to learn more about how we can help ensure your business is GDPR compliant.