The General Data Protection Regulation (GDPR) is a set of rules for transactions that happen within EU member states that require organizations to protect the personal data and privacy of people. More than half of US organizations believe they’ll be fined due to the upcoming GDPR changes, according to an Ovum survey. That same report found two-thirds of businesses expect to have to change their global business strategies to account for these new data privacy regulations.
The GDPR’s updated rules go into effect on May 25, 2018. Not complying with these regulations can have dire consequences, so make sure you understand the requirements and upcoming deadlines.
The GDPR was originally introduced in April 2016, with provisions remaining consistent across all 28 EU member states. It requires companies to protect personal data of EU citizens, both within and outside of the EU. These rules have a significant effect across the globe, causing companies to rethink the way they operate. Just about every business will be affected by the updated regulations – here are the organizational criteria requiring compliance with GDPR:
- Presence in an EU country
- No presence in an EU country, but processing of personal data of EU residents
- More than 250 employees
- Fewer than 250 employees, but data processing includes certain types of sensitive personal data or affects the rights and freedoms of data subjects
The GDPR protects privacy information of EU citizens, which includes basic identity information like names and addresses, but it also covers a broader scope. Web data (including IP addresses and social media posts), location data, health data, biometric data, racial data, and genetic data are also all covered.
Perhaps the two most prominent changes to the GDPR revolve around scope and breach notification. Previously, the GDPR only affected countries within the EU. Now it applies to all companies processing the personal data of people residing in the EU, no matter where the company itself lies.
With data breaches, if the breach is likely to “result in a risk for the rights and freedoms of individuals,” companies must notify customers within 72 hours of first becoming aware of the breach.
Additionally, organizations will no longer be able to use long, illegible terms and conditions full of complicated legalese when requesting consent. Instead, consent must be “clear and distinguishable” from other matters and provided in an easily accessible form. This consent must be easily withdrawable, and companies must erase personal data when requested.
To see a full list of all the GDPR regulatory changes, click here.
Deadlines, Penalties, and Next Steps
The most important date to know is May 25, 2018. That’s when all companies must be able to show compliance with GDPR. Failure to comply could result in penalties valued at four percent of global annual turnover, or up to €20 million.
Note that both data processors and data controllers must follow these rules, meaning clouds won’t be exempt from GDPR enforcement. A controller “determines the purposes, conditions, and means of the processing of personal data,” while the processor “is an entity which processes personal data on behalf of the controller.”
Your company likely already has a data protection plan in place, but make sure you thoroughly review it and update as necessary so that it fulfills GDPR requirements. It can be a complicated process, and there’s no harm in asking for help. A global managed service provider has the expertise and knowledge of compliance across different countries and can help you navigate the muddied global compliance waters.
In addition to ensuring your organization is compliant when architecting an environment, the right MSP will also make sure cloud security controls are deployed consistently. An MSP can also aid in monitoring and ongoing assessment. Having that extra support can be the difference between releasing private data and keeping your customers’ information secure.
The GDPR will be a massive change for just about every business. Prepared organizations will be one step ahead.
Datapipe has joined forces with Rackspace to create the world’s leader in multi-cloud managed services. Learn more about the acquisition here.