GDPR: General Data Protection Regulation
Deadline: May 25, 2018
The GDPR was approved and adopted by the EU Parliament on April 14, 2016 and goes into full effect on May 25, 2018. This applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies.
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, post on social networking websites, medical information, or a computer IP address.
Why does this matter to non-EU companies?
If you collect data from potential and current customers and any of them live in an EU country, including the UK, you could be subjected to a Class Action Lawsuit. Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million.
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
U.S. companies will need to change the way they process, store, and protect customers’ personal data. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
Notable Individual Rights
The points listed below begin to outlines some of the notable individual rights that organizations must be aware of concerning the GDPR.
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
- Privacy by Design
- Data Protection Officers
How can CTI help?
Our consult team has the tools and experience to conduct a risk assessment or a specific GDPR Gap Assessment for your organization. During this process, our team will outline your posture and the measures that need to be taken to mitigate GDPR risk.
Fill out the form on this page or call 1-800-606-6060 today to set up an appointment with one of our experts!