Significant privacy law changes are coming to the European Union (EU) that will require some US companies meet strict data privacy rules in 2018. This law could carry significant cost and liability for US firms that do business within the EU.
After four years of debate, the General Data Protection Regulation (GDPR) was finalized and approved by the EU Parliament on April 14, 2016. It will become effective on May 25, 2018. According to a survey by PwC, GDPR compliance ranks as the top data protection priority for 92% of US organizations in 2017 with US companies spending millions of dollars to satisfy it.
How will your business be impacted, and will you be ready?
What is GDPR?
The GDPR is a single law that replaces Data Protection Directive 95/46/EC and the various data protection laws of the EU countries. GDPR expands the scope of data privacy protection in the EU, which greatly impacts how businesses collect, store, and transfer data, and is the most important change in data privacy regulation in 20 years. It holds every organization that processes personal data accountable to ensure the data is safeguarded against loss, theft, and unauthorized access.
How are US Businesses Affected?
Any US company that offers goods or services to EU residents, regardless of location, or monitors or processes their data must be compliant with the EU’s data privacy rules and should understand how the GDPR will impact their business. Organizations in breach of GDPR face penalties up to a maximum of €20 million (appx. $22.6 million) or 4% of annual total revenue (whichever is higher).
If your company does business in the EU:
- You will need to maintain a record or inventory of all data processing activities and either prove that data transferred is encrypted and thoroughly protected or physically relocate your data servers.
- The Data Protection Authorities (DPA) must be notified within 72 hours of any data breaches that carry substantial risks to individuals.
- In the event of a data breach, affected individuals must be notified without undue delay.
- If your business engages in large scale processing of sensitive personal data, you will be required to appoint a Data Protection Officer (DPO) to ensure compliance.
How You Can Prepare
- Familiarize yourself with all of GDPR’s requirements. Get a detailed summary here or view the full regulation here.
- Assess the impact of GDPR on your operations.
- Devise a comprehensive privacy management program and implementation plan and evaluate the need for additional resources.
- Appoint a Data Protection Officer for your organization.
- Build policies and procedures that tag business data.
- Keep an accurate record of processing and data transfers.
- Tag and classify the data you hold to indicate whether or not it contains personally identifiable or sensitive information.
Since 2005, JPMerc has helped small to mid-sized businesses use technology more effectively — so it fuels their productivity and success, instead of getting in the way. Contact us to discuss your company’s IT needs.