Posted by Bryan Vale / October 23, 2017
What is the GDPR?
Simply put, the GDPR is data protection for citizens of the European Union. Noncompliant organizations will face fines of up to 4% of a company's annual revenue or €20 million, whichever is larger.
The GDPR takes effect on May 25th, 2018. Additionally, all companies with E.U. consumer data must comply, even companies based in non-E.U. countries.
What does "GDPR" stand for?
"GDPR" stands for General Data Protection Regulation.
The GDPR also was developed to provide one unifying, streamlined set of rules about data that apply across the 28 (27 after the U.K. exits) countries of the E.U., in contrast to the regulatory situation in the United States, where individual states have different rules and protections that are much less specific.
What does GDPR compliance look like?
As commentator Alex Woodie puts it, "Say goodbye to big data's Wild West!"
GDPR compliance starts with a strong cyber security strategy for data, especially data in the cloud. To remain compliant, companies must keep data on E.U. citizens secure, whether that data is in cloud storage, in corporate storage, or being processed by vendors.
But there are several new regulations, requirements, and expansions to existing laws:
1. Data consent: A company that collects data on individuals must have "unambiguous" consent from those individuals – silence, pre-ticked boxes, or inactivity do not count as consent.
2. Data portability: Companies must be willing to move personal data to another location or company, even a direct competitor, if requested by the consumer.
3. Data deletion: Companies must delete personal data when requested by an individual.
4. Consumer profiling: Individuals can contest, object to, and request explanation for automated decisions or decisions made by algorithms.
5. Data protection: The GDPR has strict, specific data security requirements, and stronger enforcement. Data encryption is especially important.
6. Data breach notification: The GDPR has a specific definition for what constitutes a breach of "personal" data, along with strict requirements for notifying affected individuals if a breach occurs.
7. Data Protection Officer (DPO): All companies that store or process large amounts of personal data must appoint or hire a data protection officer (DPO), who will drive data security and oversee GDPR compliance.
These changes will require updates to corporate policy and, in many cases, updates to the user experience of websites and applications.
There are two tiers of fines under the GDPR.
First tier: 2% of a company's annual revenue or €10 million, whichever is larger.
Second tier: 4% of a company's annual revenue or €20 million, whichever is larger.
GDPR and Brexit
The GDPR extends to all companies that store or process personal data of European citizens, even companies that are based in and store data in countries outside the E.U.
In 2016, the citizens of the United Kingdom voted to leave the European Union. The so-called "Brexit" will not take place until March 29th, 2019, but once it does, British firms will still need to comply with GDPR regulations for E.U. data.