The GDPR: What it is, who it affects, and what you should do about it
If you haven’t already heard about the General Data Protection Regulation (GDPR), brace yourself. You’re about to hear a lot about it in the coming months, from ways to comply with the regulation to the massive fines incurred by those who don’t. The most important thing to keep in mind as this news rolls out? This EU regulation won’t just affect those in Europe. Organizations across the globe will have to comply—including yours.
To make sure you’re prepared, we’ve put together some of the most important information on the GDPR: what it is, who it affects, and how to avoid penalties. While it won’t kick in for another few months, advanced preparation is key to properly handling the GDPR.
What is the GDPR?
The GDPR is a set of regulations addressing how entities handle the personal information of EU residents, encompassing anything private, public, or professional related to an individual. Any information that directly or indirectly identifies someone, such as a name, address, photo, social media post, or IP address, is included under this umbrella.
The GDPR was adopted in April 2016, and will go into effect on May 25, 2018. Its intent is to give people more control of their personal data by increasing transparency around how companies are using it, such as the algorithms and profiling this information is subjected to. For businesses, the regulation enforces stronger data governance and transparency with new requirements for breach notifications and accountability to offer high levels of protection for personal data.
It also gives individuals “the right to be forgotten,” meaning they can request companies delete or remove their personal data if they wish.
If companies can’t meet the compliance standards, they can face massive fines—up to €20 million, or 4 percent of a company’s global revenue (whichever is greater)—per violation. This is huge for major corporations. Target’s 2013 security breach, which cost it $18.5 million plus $200 million in legal fees, would have cost an estimated $2.5 billion had it happened under GDPR.
Who does the GDPR impact?
The GDPR protects all citizens of the 28 member states of the EU, including the U.K., which will be covered by GDPR despite ongoing Brexit negotiations. Despite protecting only EU citizens, the regulation is not exclusive to the EU by any means—it applies to all companies, worldwide, handling the data of EU citizens.
This means that the vast majority of companies in the U.S. will also have to comply, as something as simple as a website visit from an EU citizen falls under the regulation.
Because of this, 54 percent of U.S. companies identify GDPR preparedness as their number one priority, with 68 percent investing between $1 million and $10 million, and 9 percent investing even more than that. Despite these efforts and budget investments, experts predict that more than 50 percent of companies will not be in full compliance with the GDPR by the May 2018 launch date.
How can you prepare for the GDPR?
There are three pillars that must be addressed to keep your company out of the unprepared group: data management, security, and process.
- Data management: To allow for easy search and location of personal data, your organization needs data management solutions that drive information governance. Incorporating defensible deletion, which will minimize unneeded personal data (and therefore risk), and protection products will lower the chances of damage or loss.
- Security: Data loss prevention products are imperative in helping your business identify where personal data is located and how it is being used. Firewall, endpoint protection, and advanced threat protection products will all help prevent costly breaches of data.
- Process: To ensure EU citizens’ data is handled properly, you will need to change or implement new processes. This could mean installing a data protection officer. It will definitely involve additional staff training, internal audits, and review of your internal HR procedures. To comply with the GDPR’s accountability principle, these processes should all be properly documented, as failing to do so could mean trouble if accused of noncompliance.
For each of these pillars, have an outside party assess your systems to get an objective look at where you stand in terms of compliance. These assessments can gauge your current preparedness and identify weaknesses that you should reinforce before the GDPR goes live in May 2018.
For more information on assessment options for the GDPR, reach out to your SHI account executive.