What Is the EU GDPR?
The GDPR is the replacement to the original Data Protection Directive 95/46/EC and according to the European Parliament, “aims to give [EU] citizens back control of their personal data and create a high, uniform level of data protection across the EU fit for the digital era”. Basically, this is a series of law changes that impact any business in the European Union but it also impacts any organization outside of the EU that does business with an EU based company. It is important to mention that the GDPR is a regulation, vs the previous directive, and uniformly sets the standard for data protection laws across all the nations that are part of the European Union. (A directive allows each nation to figure out how to comply vs a regulation which doesn’t give that choice to each nation).
What Is the Impact of the GDPR to American Businesses?
The impact of the GDPR is overwhelming, even for larger enterprises with lots of resources at their disposal. Companies must maintain adequate data records; notify regulators in the event of a data breach; ensure customers the right to be forgotten; and enable customers to take their data with them. Additionally, CIOs and CISOs must also ensure that their cloud vendors and other 3rd-party vendors are adhering to GDPR specifications.
“No legislation rivals the potential global impact of the EU’s General Data Protection Regulation (GDPR), going into effect in April 2018. The new law will usher in cascading privacy demands that will require a renewed focus on data privacy for uS companies that offer goods and services to EU citizens. Business that do not comply with GDPR face a potential 4% fine of global revenues, increasing the need to successfully navigate how to plan for and implement the necessary changes.”
It’s no surprise that many companies will not be in full compliance with the new regulations by 2018. It’s our recommendation that American businesses (with personal data from citizens of the EU) dedicate a permanent budget for privacy and data protection rather than allocating a larger portion of their budget to meet these new requirements. Many companies that are going to be successful in long-term privacy compliance are those companies that will be making policy and corporate changes to the way they handle and store data. Most C-level’s are turning to encryption, tokenization, and technologies that enable pseudonymization (replacing identifying data fields in a data record with artificial identifiers). Since the GDPR is very intensive and legally complexed it’s also recommended that you speak with an EU regulator or a business lawyer to get compliant.