The General Data Protection Regulation (GDPR) went into effect in 2018. This European Union privacy law regulates how data is collected, stored and used. GDPR compliance applies to companies who do business within the EU.
The GDPR is designed to protect consumers from misuse of their personal information, such as names, banking information, credit card numbers and other private details. Failing to comply with these regulations can result in fines of up to €20 million or four percent of the company’s global revenue, whichever is higher.
What is GDPR?
The GDPR applies to all companies doing business within the EU, even if they’re located on other continents. This is because the law aims to protect EU citizens and consumers.
Other countries help enforce the laws through mutual assistance treaties and other agreements, but enforcement authority rests with the EU.
According to one study, which surveyed “7,500 consumers in France, Germany, Italy, the UK and the U.S., 80 percent of consumers said lost banking and financial data is a top concern. Lost security information (e.g., passwords) and identity information (e.g., passports or driving license) was cited as a concern of 76 percent of the respondents.” Worse, 62 percent of the respondents said that they’d blame the company for the data breach—not the hackers themselves.
Data privacy is a serious concern, and not just for consumers. The fight to keep data secure and private is a challenge that gets more difficult over time. The GDPR was designed to give businesses a broad framework for guiding their policies.
The GDPR has seven key principles to guide data collection and use:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
Detailed information about these principles can be found in previous blog posts. The key takeaway to remember is that it doesn’t matter where your company is located: if you collect data from European data subjects, you’ll need to ensure you comply with the GDPR rules.
GDPR Compliance in the EU and the US
Here’s a general compliance checklist to consider:
- Determine whether you’re collecting EU personal data: The first thing you need to do is conduct a data audit. Are you collecting personal information from anyone in the EU? If so, you’ll need to comply with the GDPR.
- Reconsider your data processing procedures: Next, assess whether your current data security and processing is sufficient. End-to-end security and other organizational safeguards can be helpful. Consider hiring a security firm for a risk management assessment.
- Find out whether you need an EU representative: Certain US companies will need to designate a representative within the EU. Article 27 explains which companies must have a representative, and which are exempt.
- Know what to do if there’s a data breach: Articles 33 and 34 enumerate what a company must do if they discover a data breach. Familiarize yourself with the process before anything goes wrong—and have a system in place to deal with potential issues.
- Consider cross-border transfer law compliance: If you wish to transfer data to non-EU countries, you’ll need to comply with cross-border transfer laws. Article 45 covers this obligation.
Stay Compliant at All Times
GDPR compliance is key—unless you want to rack up millions of euros in fines, it’s important that you have a policy in place. SixFifty makes it fast and easy to stay in compliance with EU privacy regulations. Within a few clicks, you’ll have everything you need to create a policy—and to keep it updated.
If you’re ready to get started or have further questions, schedule a demo with SixFifty today.