EU-GDPR And What It Means To Americans
Cybersecurity Awareness – By Ron Frechette, The Cyber Coach
On May 25, 2018, the European Union’s General Data Protection Regulation (EU-GDPR) went into full effect. We have been flooded with calls and emails asking what this means to us here in America. To get right to the heart of the matter, if you run any type of business or work for a company in the US that processes, stores or transmits private data belonging to EU residents, you must be GDPR compliant or run the risk of paying fines and brand damage.
Q: What is GDPR?
A: The European Union (EU) General Data Protection Regulation (GDPR) is a new EU law that strengthens the protection of private data belonging to EU residents.
Q: Does GDPR only apply to companies based in the EU?
A: No. Any company that has customers in the EU and processes, stores, or transmits any of their personal data is required to comply.
Q: What is “personal data” according to GDPR?
A: “Personal data” refers to any information that can be used to identify a person. This includes the person’s name, email address, social media posts, physical, physiological, or genetic information, medical information, location, bank details, IP address, cookies, and cultural identity.
Q: What does GDPR regulate?
A: Any organization that processes the personal data of EU residents, including any tracking of their location or activities, e.g., with browser cookies, falls under the law, even if the processing organization does not physically reside within the EU.
Q: How are privacy rights effected by GDPR?
A: The new requirements that processors of personal data must honor include:
- Data subject rights: EU residents have greater control over their personal data, including the right to request that processors provide them copies of it, correct errors in it, and delete it entirely on request.
- Proof of compliance: Processors must implement adequate data security policies and procedures and keep detailed records on their data processing activities.
- Security breach notifications: Processors must report data breaches to their local GDPR supervisory authorities, and report severe breaches to the affected data subjects.
- Penalties for non-compliance: GDPR regulators can impose substantial fines on organizations that fail to comply based on the significance of the breach and damages incurred.
Q: What is a Data Protection Officer?
A: The Data Protection Officer (DPO) is an employee or consultant that many controllers and processors will be required to designate to oversee GDPR compliance. Almost all public institutions will have to appoint a DPO. Private organizations must appoint a DPO only if they process large amounts of personal data.
Q: What happens if we choose not to comply with GDPR regulations?
A: The penalties for GDPR non-compliance are significant. Your local supervisory authority can assess a fine of €10M or 2% of your annual revenue, whichever is greater, for what are considered first-level offenses like failing to maintain written records, or not implementing appropriate technical and organizational measures to meet compliance goals. Fines can climb to €20M or 4% of your annual global revenue, whichever is greater, for more serious offenses like major data breaches and failure to protect personal data from theft, alteration or deletion.
In addition to financial penalties, companies that deliberately ignore GDPR compliance obligations could face lawsuits from private individuals for “material or non-material” damage if personal data has been breached.
Q: How can we become GDPR compliant?
A: Being able to specify exactly where your data is stored, preventing breaches like ransomware attacks, and protecting data with strong encryption in motion and at rest are fundamental building blocks with concrete, positive impacts on your GDPR compliance posture.
This article is for informational purposes only. It should not be relied upon or construed as legal advice. Seek advice from a legal or compliance professional to learn more about how to become GDPR compliant.