5 things you need to know about GDPR before it’s too late
What is the GDPR?
The EU General Data Protection Regulation (GDPR) was developed to create cohesive data privacy laws across Europe that serve to protect all EU citizens. It replaces Data Protection Directive 95/46/EC, and differs in a number of significant ways, such as:
- Larger jurisdiction. The General Data Protection Regulation will apply to all companies that process the personal data of anyone living in the European Union, regardless of the company’s location.
- Fines. Organizations, including controllers and processors, that are not in GDPR compliance can be fined up to 4% of their annual global turnover or €20 Million (whichever is greater).
- Consent. Consent must be requested in a clear, easily accessible manner – and must be distinguishable from other matters. In addition, it must be as easy to withdraw consent as it is to give it.
- Breach Notifications: Breach notification will be mandatory – and must be completed within 72 hours of an organization first having become aware of a breach.
- Privacy. The GDPR requires that data protection be included from the onset of the designing of systems, rather than as an addition.
For a full list the most important changes between the General Data Protection Regulation and the Data Protection Directive 95/46/EC, visit http://www.eugdpr.org/key-changes.html.
The GDPR applies to organizations within the European Union, as well as companies located outside of the EU. Basically, any organization that offers goods or services to, or monitors the behavior of, EU data subjects, are impacted by the GDPR. Regulations apply to both controllers and processors, which means that "clouds" are not exempt from GDPR enforcement.
How Services in the Cloud Storage Can Help
Because brands that provide services to millions of people around the world are obligated to uphold the laws of the countries where they do business, it behooves organizations that also do business in those countries to work together. And whether you're a multi-national corporation, or a small web-based business that reaches customers in the EU, by choosing cloud services provided by a global partner who is committed to adhering to the GDPR, you can work your way toward GDPR compliance without ever lifting a finger.
For instance, Microsoft's Office 365 includes measures that comply with the GDPR's data protection policy guidelines, as well as its security threat protection mandate. And because Office 365 is cloud based, it allows you to passively stay up to date – and gives your organization more time to focus on the "bigger picture" implications of the GDPR.
Because the GDPR hasn't been enacted yet, it's difficult to know which organizations, cloud or otherwise, will be compliant at its launch. However, in order to find the tools your organizations need to solidify its own compliance you'll need to seek out companies now that have pledged compliance.
Many organizations have publicly vowed to achieve compliance by the time that the GDPR is enacted. A quick online search and/or an email or phone call with representatives from the organizations that you do (or are considering doing) business with are good first steps. Beyond that, consider asking your resident technology expert to vet the practices of your partners to determine whether they're the right fit for your organization in the age of the GDPR. If you don't have a tech expert who can help, you may consider hiring a technology consulting firm to vet your partners for you. After all, the cost of non-compliance will be steep, so protecting yourself is imperative – not only to your bottom line and your customer base, but indeed, to the future of your company.
The Growth Center does not constitute professional tax or financial advice. You should contact your own tax or financial professional to discuss your situation.