GDPR – What’s Going On And Why Should I Care?
Unless you’ve been hiding under a rock or you’re one of today’s lucky 10,000 to be hearing about it for the first time, the EU General Data Protection Regulation hype train is reaching full throttle and organizations across the world are engaging panic mode as the compliance deadline looms ever closer.
For those that are lucky enough not to have encountered GDPR yet, what is it all about and why should I care?
GDPR has been under draft by the European Commission since 2011 and organizations are required to be compliant when it goes live on May 25, 2018. With over 3,000 amendments since the first draft it is officially the most heavily lobbied piece of legislation ever, and the completed regulation is over 200 pages long.
GDPR largely extends the UK Data Protection Act of 1995 and clears up some definitions that were ambiguous or out-of-date for the modern world. Indeed, in 1995 only 30 percent of us had access to the internet, compared to 98 percent of some generations carrying an internet-ready computer in our pockets in 2016.
GDPR is a regulation which means that it overrides any local law in any EU member state. This is different to a directive which would still have to go through local governmental processes e.g. parliament before becoming law.
No ifs, no buts, if anything of the following applies to your business, you have to comply:
Organizations within the EU
Organizations that offer goods and services to EU residents (including free services such as Facebook)
Organizations that monitor the behavior of EU residents (e.g. targeted advertising companies)
In short – every organization in the EU that processes or uses data in any shape or form, or outside of the EU that offers online services to EU citizens.
GDPR has an exhaustive list of requirements for organizations to comply with that can be summarised around the following areas:
- What data is considered ‘personal’
How personal data should be processed and controlled, and for how long
What data security controls organizations should have in place in regards to personal data
What rights data subjects have in regards to their own personal data, and how those rights should be enforced
The specifics can get pretty complex and there are a number of organizations already offering accreditation courses for privacy professionals to get up-to-speed with the specific changes and how they might impact your specific business.
The biggest headline around GDPR though is not the rights given to citizens (though they are considerable and will make for some interesting reading once people start requesting data from Silicon Valley giants like Google…).
Instead, the main headline is the potential size of fine that can be imposed for non-compliance. GDPR states the maximum fine for non-compliance is either the greater of either €20 million or up to four percent of an organization’s worldwide annual turnover.
For Google that would mean a fine in the region of $3.5billion!
But no need to panic. We’ve got your back.
Chris Lewis is a technical evangelist at Connexica. Connexica can help with expertise and industry-leading data discovery software when it comes to GDPR compliance.