If your organization has international operations in the European Union, you should be planning for GDPR compliance now! The General Data Protection Regulation (GDPR) is set to become the overriding data protection regulation with the EU. It was adopted by the European Parliament Council and Commission in 2015, took effect in 2016 and enforcement is scheduled to begin in May of 2018.
At its core, the GDPR is intended to provide citizens of the EU with greater control over their personal data and assurances that their information is being securely protected by harmonizing data privacy laws across Europe. If you currently do business within the EU, here are some key areas where the provisions of GDPR may impact your operations:
Territorial Scope – The GDPR mandates apply to any processor who handles personal data for a subject residing in the EU. Sharply defining the lines of jurisdiction and compliance was a main goal when drafting the initiative as reflected in this quote from the official GDPR web site “it (GDPR) will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not”. In other words, offshore hosting outside of the EU will not be exempt from compliance.
Penalties – The EU is also serious about compliance as underscored by the stiff penalty associated with a breach of the GDPR. The maximum fine is defined as 4% of annual global turnover or €20 Million (whichever is greater). In addition, smaller tiered penalties exist for companies who do not have their records in order (article 28), have not notified the supervising authority and data subject about a breach, or have not conducted an impact assessment. Since these penalties apply to both controllers and processors, cloud providers who host data are not exempt.
Consent – When requesting consent to use personal data, that request must be clear and presented in plain language. Additionally, it should be as easy for an individual to revoke consent as it is to grant it.
Along with these core changes in data privacy, GDPR formalizes a series of other measures that apply to personal data including breach notification, the right to be forgotten, right to access, data portability, privacy by design and (in some circumstances) the appointment of a Data Protection Officer.
With a little over 600 days until GDPR takes full effect, many organizations are starting to prepare now by scanning their stored information for personal data and implementing plans for remediating that archival content. If you think GDPR may apply to your organization, Sherpa offers a variety of tools that can help you scan your electronic information for personally identifiable information (PII) then either quarantine it for a more in-depth review or simply delete it.
If you are interested in learning more about GDPR, I highly recommend the web site http://www.eugdpr.org/eugdpr.org.html . It is an excellent resource for understanding the compliance requirements of the regulation.