Jan 30, 201811:27 AMOpen Mic
Send us your blog for consideration!
New European data privacy rules apply to local businesses
(page 1 of 2)
Many area businesses have European residents among their customers. If you do, you probably have data about those customers on your computer systems. New European Union (EU) regulations about the security and privacy of that data are relevant to you.
These EU regulations are called the General Data Protection Regulation, or GDPR. The rules — and penalties — are designed to establish cohesive data privacy laws across Europe. GDPR applies to all companies that handle personal data for anyone living in the European Union, regardless of the company’s location.
GDPR rules will go into effect in May 2018. After that date, companies that fail to secure European citizens’ data or honor privacy requirements could be subject to fines ranging up to 4% of the company’s worldwide revenue.
Compliance is therefore important, but this topic is important not just for avoiding penalties. It’s important because what GDPR rules demand is also good business practice — the same discipline needed to safeguard your customers’ important information helps to safeguard your businesses’ sensitive details, such as financial data, trade secrets, engineering drawings, business processes, and more.
Basic overview of GDPR: Rules and readiness
Companies must obtain specific consent from their customers, or other parties whose behavior they are monitoring, to gather and store personal data. Hard-to-read terms and conditions full of legalese aren’t acceptable; consent must be given in an easy-to-understand form using clear and plain language. Companies must also make it easy for customers to withdraw consent.
Companies must provide notification about data breaches within 72 hours.
It doesn’t matter where companies are located — nor whether their data is stored on-premises or in the cloud. U.S. companies must identify personal data for Europeans, they must protect it, and they must report on failures to do so.
Most companies are not ready to meet these requirements. Many haven’t yet realized how the rules apply to them. A recent survey by technology research firm Gartner Inc. predicts that by the end of 2018, more than 50% of companies affected by GDPR will not be in full compliance with its requirements, and lack of compliance could lead to hefty fines.
For example, the following infractions could result in a 2% fine of a company’s annual global revenues: failure to have records in order; failure to notify the supervising authority and data subject (the person’s whose data has been compromised) about a breach; or failure to conduct impact assessments.
GDPR rules apply both to companies that control data — that is, most organizations — and those that process data, such as providers of cloud-based storage and collaboration services.