In April 2016, the European Union (EU) took a significant step towards increased data privacy and security for its citizens by passing the General Data Protection Regulation (GDPR) legislation. It is scheduled to go into effect on May 25th, 2018. Unlike the previous Data Protection Directive, the GDPR is binding for all 28 EU members and overrides any existing local laws.
At its core, the GDPR is a privacy protection law that gives all EU citizens increased rights over their personal data. Further, it allows Data Protection Authorities (DPAs) to manage violations of GDPR, working to ensure non-compliant companies do not get off scot-free. This legislation has global implications, as it impacts EU companies, but also those companies with operations or business interests in the EU. The below ‘cheat sheet’ is an abridged version of the top 10 highlights for global and EU-located companies to be aware of, from the official website.
For Companies Headquartered Outside of the EU
Expanded Geographic Protection: The new GDPR law has widened the territorial scope from that of the Data Protection Directive. The rules would apply to companies regardless of their location if they process personal data of EU residents.
Strict Penalties for Violators: GDPR has a built-in provision for imposing hefty penalties on violators. The law states penalties for noncompliance could reach up to 4% of the violator’s global annual revenue or 20 million Euros, whichever is greater. The new rule forces companies to demonstrate their compliance.
Tighter Data Transfer Regulation: GDPR prohibits the transfer of personal data to a non-EU country without the proper safeguards. In effect, if your headquarters are located outside EU then you can no longer process or store personal information of your EU employees or customers. The only exception is if the individual agrees to a legally binding and enforceable contract, as per the GDPR guidelines.
Mandatory Breach Notification: GDPR requires companies to notify their local DPA in case of any data breach. After the notification, the DPA would investigate to determine whether the company is GDPR compliant or not.
Data Protection Officer (DPO): Multi-national companies that process a large amount of data relating to EU residents will be required to appoint a DPO. The DPO must be independent and fluent in data protection law to ensure GDPR compliance.
For Subsidiaries Located in the EU
Consent Clause: Companies will be required to seek permission from EU citizens before collecting their personal data. The consent must be clear and unambiguous on the purpose of obtaining the data, how it would be stored, and for how long.
Right to Be Forgotten: EU citizens can request companies to erase individual’s personal data. All personal data from all the company’s system and from third-parties must be deleted.
Contracts and Vendors: The new regulations would force companies to review all service agreements and employment contracts with the EU customers and employees. Also, local entities in the EU will have to reassess third-party vendors to ensure the safety of their employees’ personal data.
Privacy Control Mechanism: GDPR pushes companies to adopt ‘privacy by design’ which establishes privacy control mechanism from the start of any process or system rather than adding a protection layer later.
Employees Transferring Data: EU citizens will have the right to obtain and reuse their personal data across various services and data controllers will have to provide the capability for individuals to transfer their personal information securely.
Do you have questions about getting GDPR compliant?
Get in touch with us at +1 (408) 703-0455 or info@mihi.com. If you don’t want to miss on to our articles, subscribe to our blog, and we will send it directly to your inbox.