How to Prepare for the New EU General Data Protection Regulations

The General Data Protection Regulation (GDPR) is a set of rules for transactions that happen within EU member states that require organizations to protect the personal data and privacy of people. More than half of US organizations believe they’ll be fined due to the upcoming GDPR changes, according to an Ovum survey. That same report found two-thirds of businesses expect to have to change their global business strategies to account for these new data privacy regulations.

The GDPR’s updated rules go into effect on May 25, 2018. Not complying with these regulations can have dire consequences, so make sure you understand the requirements and upcoming deadlines.

GDPR Basics

The GDPR was originally introduced in April 2016, with provisions remaining consistent across all 28 EU member states. It requires companies to protect personal data of EU citizens, both within and outside of the EU. These rules have a significant effect across the globe, causing companies to rethink the way they operate. Just about every business will be affected by the updated regulations – here are the organizational criteria requiring compliance with GDPR:

  • Presence in an EU country
  • No presence in an EU country, but processing of personal data of EU residents
  • More than 250 employees
  • Fewer than 250 employees, but data processing includes certain types of sensitive personal data or affects the rights and freedoms of data subjects

Regulations

The GDPR protects privacy information of EU citizens, which includes basic identity information like names and addresses, but it also covers a broader scope. Web data (including IP addresses and social media posts), location data, health data, biometric data, racial data, and genetic data are also all covered.

Perhaps the two most prominent changes to the GDPR revolve around scope and breach notification. Previously, the GDPR only affected countries within the EU. Now it applies to all companies processing the personal data of people residing in the EU, no matter where the company itself lies.

With data breaches, if the breach is likely to “result in a risk for the rights and freedoms of individuals,” companies must notify customers within 72 hours of first becoming aware of the breach.

Additionally, organizations will no longer be able to use long, illegible terms and conditions full of complicated legalese when requesting consent. Instead, consent must be “clear and distinguishable” from other matters and provided in an easily accessible form. This consent must be easily withdrawable, and companies must erase personal data when requested.

To see a full list of all the GDPR regulatory changes, click here. 

Deadlines, Penalties, and Next Steps

The most important date to know is May 25, 2018. That’s when all companies must be able to show compliance with GDPR. Failure to comply could result in penalties valued at four percent of global annual turnover, or up to €20 million.

Note that both data processors and data controllers must follow these rules, meaning clouds won’t be exempt from GDPR enforcement. A controller “determines the purposes, conditions, and means of the processing of personal data,” while the processor “is an entity which processes personal data on behalf of the controller.”

Your company likely already has a data protection plan in place, but make sure you thoroughly review it and update as necessary so that it fulfills GDPR requirements. It can be a complicated process, and there’s no harm in asking for help. A global managed service provider has the expertise and knowledge of compliance across different countries and can help you navigate the muddied global compliance waters.

In addition to ensuring your organization is compliant when architecting an environment, the right MSP will also make sure cloud security controls are deployed consistently. An MSP can also aid in monitoring and ongoing assessment. Having that extra support can be the difference between releasing private data and keeping your customers’ information secure.

The GDPR will be a massive change for just about every business. Prepared organizations will be one step ahead.

Datapipe has joined forces with Rackspace to create the world’s leader in multi-cloud managed services. Learn more about the acquisition here.

Rich Dolan briefly served as Senior Director of Corporate Marketing at Rackspace. Before that he was Senior Vice President of Marketing for Datapipe, where he spent 16 years developing and driving its world class marketing team as the company grew into one of the leading global managed service providers, from the early days as a start up to a global enterprise player. He built and oversaw digital marketing and demand generation, event management, content management, internal communications, brand management, partner marketing and web properties. Rich managed the consolidation of marketing resources from five acquisitions, and led Datapipe to thirteen Gartner Magic Quadrant recognitions across the globe, including four placements in the Leaders quadrant. Before Datapipe, Rich spent four years with web design firm RareMedium, where he designed and architected web presences and client facing applications for Madison Square Garden, JP Morgan, Atlantis, XM Radio and Credit Suisse First Boston. Rich graduated summa cum laude from the New York Institute of Technology with a BA in computer graphics. He lives in New York with his wife and daughter.