The deadline for compliance with the European Union’s (EU) General Data Protection Regulation (GDPR) is May 25, 2018. Time is of the essence here because non-compliance fines are up to €20 million (approximately $25 million) or 4% of the company’s prior year revenue, whichever is greater. Past experience tells us the EU is not hesitant to levy these heavy fines for non-compliance with its directives.
What is GDPR?
In April 2016, the EU adopted the GDPR, which has caused quite a stir in the global business sector and in technology communities. GDPR is sort of a data subject’s Bill of Rights. The purpose of GDPR is to safeguard the personal and private information of EU citizens and residents, and essentially give control over that information to the individual, including the controversial “right to be forgotten.”
GDPR requirements apply to any organization doing business in the EU or that processes personal data originating in the EU. The personal data can either be from EU citizens or residents. To clarify further, companies of any size that process anyone’s personal data that originates in the EU is subject to GDPR.
Information security controls that will be key to achieving GDPR compliance include data inventory, information security governance, risk assessment, risk management, third-party management, technical security controls, technical security assessments (e.g. penetration testing), security monitoring, and incident response planning.
Are you required to be compliant?
If your organization gathers, collects, or processes personal data on any individual residing in or visiting from the EU, you likely have to comply with GDPR requirements. There are two groups of organizations that must comply with GDPR:
- Companies located in the EU
- Companies not located in the EU, if the company offers services to EU residents or monitors the behavior of EU residents
The following data types are defined as personal data by GDPR:
- Identity information such as name, address and unique identifying numbers
- Web data such as geo-location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
GDPR will cover a large number of companies both inside and outside the EU. Additionally, companies that must comply are also required to ensure that their vendors and subcontractors who have access to collected personal data adhere to the GDPR requirements.
US Company Responses
Some US companies are re-evaluating their business with EU nations. According to a recent PwC survey, 54% of US corporations plan to de-identify EU personal data to reduce exposure. Other US-based companies are reevaluating their return on investment for their EU initiatives. 32% of the survey respondents plan to reduce their EU presence, while 26% plan to exit the EU market altogether.
What does it cost to become compliant?
US-based companies are budgeting to spend a significant amount on compliance with GDPR. According to the PwC survey, 77% of respondents plan to spend $1 million or more on GDPR compliance, while 24% state that they will spend less than $1 million to comply. To help minimize compliance costs and to avoid fines for non-compliance, affected companies should seek the advice of GDPR professionals.
Will Brexit Affect GDPR?
The Brexit deadline is scheduled for March 31, 2019, which means the GDPR should be effective in the UK for around ten months before the Brexit deadline. However, the UK intends to pass a proposed Data Protection Bill that largely mirrors GDPR with a few differences. Brexit should not have a significant impact on how your company plans to handle GDPR compliance.
Next Steps
GDPR is a significant regulatory milestone for the EU that can affect businesses in any country, depending on their current data collecting, processing, and disposition status. GDPR compliance is complex and can be an expensive undertaking. True Digital Security is here to help you navigate your GDPR compliance plan. Contact us today to discuss your unique GDPR challenges.