Okay, I understand that law is boring to some people. Alright, I admit it, most people. I will try not to put you to sleep. Actually, you should very concerned about this topic because this deals with a European Union regulation that may apply to your company and you absolutely must consult with someone familiar with the GDPR. If it is applicable to your company, start preparing to comply with the requirements of the GDPR NOW! This is serious stuff and you cannot afford to ignore it.
Do you know what the GDPR is? If not, you need to learn. The General Data Protection Regulation (GDPR) is a European Union regulation that will take the place of the EU Data Protection Directive. Instead of having a series of various regulations of EU member states, the GDPR will be applicable to all such member states, as well as other some other companies that are in countries that are not EU member states and do not have a physical presence in the EU. I believe the United States could learn from the GDPR and craft legislation that applies to all states similar to the GDPR. I think it would bring consistency to the US laws, rather than having a patchwark of laws dealing with privacy. The GDPR will take effect on May 25, 2018. Therefore, if it is applicable to your business, it is imperative that you consult with experts and ensure you are in compliance! You will cringe when I tell you about the astronomical penalties for failure to comply in a future post, so please do not ignore this!
Since the GDPR is over 200 pages long, I am going to post several articles to educate you about the provisions of the GDPR. I will try to hit to the most important points and also do my very best to make sure you stay awake and read all of this. Please don’t ignore this and subject your company to great financial risk. Go get yourself a cup of coffee, stay awake and read!
The GDPR has eliminated the obligation of companies to notify local authorities of the personal data that a company processes. This requirement was seen as very burdensome on companies. Instead of the notification requirement, companies will be required to keep an inventory of all personal data that it processes. The GDPR requires that the company keep not only a description of the data that is processed, but companies must also state the reason for processing the data. In addition, companies are required to disclose whether the data is exported as well as the identity of any third parties receiving the data.
All companies must make sure that personal data in its possession is properly safeguarded. The GDPR contains a data breach notification rule, which requires a report of a breach to the supervisory authority within 72 hours of the breach. Furthermore, if any breach could result in a high privacy risk to individuals, the company must also notify the individuals of the breach. The notification requirements alone could prove to be very expensive and burdensome for a company.
The provisions of the GDPR provide individuals greater control over their personal data. Can you imagine…….an individual actually has the right to transfer their own personal data from one entity to another? Wow, what a huge benefit. [Insert sarcasm font here]. You actually can control your own personal data. How generous and logical is that? From the perspective of the company, the questions they need to ask is how they will accomplish such portability. What procedures must they implement to accomplish this task?
Ok, I am sure you are wondering what the heck this is. That is why you need me ?. The GDPR requires that when a company designs a new system, process, etc. that processes personal data, the company must ensure from the start of the design of the system, process, etc., that protection of such data be considered from the very start of the design. Furthermore, the company needs to be able to produce evidence that it has complied with this requirement. The default component of this provision requires that if the company designs a new system, process, etc. the company shall include the opportunity for the users to choose how much personal data will be shared. In the event an individual fails to choose how their personal information will be shared, the default setting will be one which allows for the most privacy for the individual. In other words, the default setting will be that no information is shared.
What is interesting (and potentially terrifying) is that the GDPR does not only apply to companies located in the EU. Rather the GDPR applies to companies even if they have no physical presence in the EU, but offer goods or services to EU residents. Think about companies that offer goods or services via the Internet. A EU resident can be a purchaser and therefore the company has to comply with the GDPR with respect to the individual’s private data. Read this again! Your company could be subject to the compliance requirements of the GDPR even though you have no physical presence in the EU. Failure to comply will result in very heavy fines.
This is just a fraction of the provisions contained in the GDPR. Stay tuned for more information. In my attempt to ensure you read this and understand how critical it is (and keep you awake in the process), I am breaking this into several articles. Remember, May 25, 2018 is D-Day, so you need to determine if the GDPR applies to you and be prepared.