GDPR: What You Need to Know as the May 25th Deadline Looms
The General Data Protection Regulation (GDPR) is set to take effect across the EU in a few short weeks and businesses around the world are scrambling to ensure their data protection practices will be compliant with the new regulations. Failure to comply with GDPR can result in financially devastating penalties.
The objective of GDPR is to protect EU citizens’ personal data and to give them back ownership of how their information is used by companies who have obtained it. These new, tighter guidelines are disrupting the existing notion that businesses “own” one’s personal information just because it lives on their servers and in their clouds.
It is important to note that even businesses based outside of the EU cannot afford to ignore GDPR because it likely impacts them as well: the scope of the regulation is broad and includes any business, of any size, processing any data that originated in the EU. Further, many experts believe the EU to be a data protection pioneer and predict that other countries may soon adopt similarly stringent data privacy laws. Taking steps now to audit and classify data will undoubtedly prove prudent.
Some key changes set forth by the GDPR include:
- Significantly heftier fines for infringements: the new maximum fine is 4% of global annual turnover or approximately $25M, whichever is higher. This is a marked change from the current maximum fine of just $600,000.
- Tighter deadlines for data breach disclosures: data controllers have just 72 hours post-breach to report that personal data has been lost, stolen, or otherwise illegally accessed, or else they are subject to the penalties
- Broadened definition of personal data to include IP addresses and location data
- Specification that companies, as well as their contractors, are responsible for compliance, so there is no diminishing responsibility “down the line”
- Greater emphasis on transparency: what data is being kept, and is it being processed legally with compliance with GDPR?
- New collection of rights for consumers, including the rights to access their data, make changes to the information they provided, and the right to withdraw their consent at any time
Preparation for compliance with GDPR is further complicated by many companies’ increased reliance on cloud services and managed service providers. With more data being moved off-prem and more IT operations being conducted by third-party vendors, it has become progressively more difficult to know precisely where personal, potentially toxic, data might be stored. However, under the new regulations, this ambiguity is unacceptable; GDPR demands total visibility. Therefore, the path to achieving GDPR compliance begins with data discovery and data classification: conducting a full audit to understand what types of information is being stored and putting procedures in place to identify what among that data falls under the GDPR definition of personal and privileged information.
Congruity360’s information governance capabilities including data collection, auditing, review, management, and analytics are second to none. Our corps of HIPAA & GDPR-compliant engineers have the experience and resources to help your organization create a data management strategy that fulfills all compliance regulations. Contact our expert consultants today to protect your data, ensure full GDPR compliance, and save your organization from significant financial penalties.