EU General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR) was adopted in April 2016 and will take effect across the European Union (EU) on May 25, 2018, when it supersedes the 28 current national data protection laws based on the 1995 Data Protection Directive (DPD).
Introduced to keep pace with the modern digital landscape, the new Regulation aims to reinforce the data protection rights of individuals, and to simplify the free flow of personal data in the EU by applying a consistent data protection framework across the member states.
GDPR: the impact on US organizations
For US organizations, the most significant change concerns the territorial reach of the new EU regulation. Under the current EU Data Protection Directive, organizations without a physical presence or employees in the EU territory have one main compliance issue to deal with: How to legally transfer data out of the EU. The EU-US Privacy Shield, which replaces the “Safe Harbor” scheme, provides such a mechanism for compliance.
The GDPR takes a different and more substantive approach to the issue of jurisdiction. Even if the data is collected by an organization operating entirely outside the EU, it will be governed by the Regulation if the data relates to the offering of goods or services to EU residents or to monitoring their behavior. Effectively, almost all US organizations that collect or process data relating to individuals in the EU will be required to comply fully with the requirements of the GDPR. Additionally, US organizations without a physical EU presence must appoint a GDPR representative based in a member state.
Learn more about the GDPR >>
A matter of urgency
Every US organization that processes or shares EU residents’ personal data now has less than 18 months to comply with the Regulation. Ignoring the GDPR or getting compliance wrong could have costly repercussions: Organizations found to be in breach of the Regulation face administrative fines of up to 4% of their annual global turnover or €20 million (US$21.3 million) – whichever is the greater.
Organizations that are compliant and take the time to properly prepare for the new Regulation will not only avoid significant fines and reputational damage, but will also find that their data handling, information security, compliance processes and contractual relationships are more robust and reliable.
A board briefing: What the GDPR means for your business
Data protection is no longer just a legal, compliance, or security issue. Given the magnitude of the penalties, and the potential for significant reputational damage, GDPR compliance needs to be a priority on the agendas of the Board and senior management. In this short video, information security expert Alan Calder, the founder and executive chairman of IT Governance, provides a concise outline of what companies can expect from the Regulation, and explains a few practical steps for boards to consider to ensure compliance.
Learn more about the key changes introduced by the GDPR >>