The EU GDPR requires companies that handle the Personally Identifiable Information (PII) of EU citizens to implement a series of safeguards and processes developed to protect an individual’s privacy. Companies will benefit from the legislation’s unification of data protection laws across the EU, as it facilitates compliance. Although the Regulation was initially established in 1995, revisions that update the requirements to satisfy modern considerations were approved by the EU Parliament on April 14, 2016.
New GDPR Protections
The new GDPR protections will be enforced beginning in May 2018. The Regulation grants EU citizens ownership of their own data, includes a right to be forgotten, and enhances data protections in the following areas:
- Identity (name, address, etc.)
- Web (location, IP address, etc.)
- Health and genetics
- Biometrics
- Ethnicity
- Political views
- Sexual orientation
What Obligations Do Companies Have Under the Regulation?
Companies that process client data transactions must gain acceptance of GDPR standards from suppliers and be prepared to show compliance with a range of safeguards that protect the data privacy of EU citizens. Companies should perform an assessment in order to understand which systems contain Personally Identifiable Information (PII), and identify and mitigate risk. Under the requirements of the regulation, companies must:
- Provide breach notifications within 72 hours of detection
- Respect the right of data subjects to review and consent to any use of personal data
- Allow data subjects to request erasure of his/her personal data (right to be forgotten)
- Build data protection standards into new systems during design, not as an addition
- Appoint a Data Protection Officer in cases where systematic monitoring is necessary
Who Needs to Comply & Penalties for Non-Compliance
While the previous iteration of the GDPR limited its scope to businesses in the EU, updates to the Regulation expand its jurisdiction to include any company that processes data belonging to EU citizens, regardless of the country in which the company is based. Although the Information Commissioner’s Office has never issued a fine greater than £400,000, under the new regulation, companies can be fined up to 4 percent of its annual global turnover for breaches, or €20 million — whichever is higher.