Does the General Data Protection Regulation apply to your Ohio business?
Short answer: YES.
Let’s get into it.The GDPR stands for General Data Protection Regulation - and it goes into effect on May 25, 2018
It was enacted to create uniform data protection rules across member states.
In its view, a unified set of rules and standards will allow European Union citizens more control over their personal information.
The new rule will also have a global impact on any company that offers goods or services to EU residents or monitors their behavior (e.g., tracking their buying habits). The ruling will impact U.S. firms that have interests, holdings and customers on European soil.
In a nutshell… it requires US businesses to protect European Union citizens’ personal data.
And while the proposed rules should make it easier for companies in the US to comply with the regulation, there’s several penalties at play for non-compliance.
Potential fines could be as high a 20 million euros or 4% annual turnover- whichever is higher.
The data protection reform takes place through two instruments:
- The GDPR
- The Data Protection Directive
So what exactly is the GDPR?
GDPR enables individuals to better control their personal data, regardless of where this data is sent, stored or processed.
And it has four provisions, which are as follows:
- More access to personal data: Individuals will have more information on how their data is processed
- A right to data portability: It will be easier for individuals to transmit their personal data between service providers.
- A right to be forgotten: Individuals have a right to have their personal data erased if there’s no legitimate ground for retaining the data.
- The right for individuals to know when their information has been hacked: The GDPR creates an obligation for those who gather, store or process personal data to notify their respective national supervisory authority of any data breaches that put them at risk.
Data Protection Directive
The Data Protection Directive applies to the police and criminal justice sectors.
The directive was adopted to protect the personal data of victims, witnesses and suspects in a criminal investigation or law enforcement action.
The directive also facilitates the sharing of information and cross-border cooperation to combat crime and terrorism.
How does this impact your US business?
The reforms create a more efficient business environment by cutting red tape and reducing costs many businesses endure if they process personal data across borders.
Businesses may be able to capitalize on simpler, clearer and more unified standards as they restore or maintain consumer trust.
The reforms also make new data protection standards extraterritorial by requiring all businesses to comply while they do business in an EU member state.
This ensures that all players within the EU are bound by the same rules, regardless of where they are established.
In addition, the rules streamline data safety by creating one central, single supervisory authority in each member state.
It also promotes a risk-based approach to compliance requirements, recognizing that businesses should have different obligations and operate under standards that more accurately represent the particular risk associated with their data processing.
Finally, the new rule calls for data processors to implement data protection safeguards from the early stages of product and service development to ensure that data protection becomes the norm- by design and by default.
This includes appointing a data protection officer (DPO) responsible for data protection compliance.
Organizations must appoint a DPO if they are a public authority, if they carry out large-scale systematic monitoring of individuals, or if they carry out large-scale processing of special categories of data or data relating to criminal convictions and offenses.
How does this impact employers?
Employers process a large amount of personal data from their employees. Often, processing employee information is necessary to comply with employment law and to provide adequate benefits.
However, many organizations lack a mechanism to determine which data should be saved or deleted based on its value.
Under the GDPR, a business can retain personal data if it is still being used for the purpose originally notified to the individual at the time of collection.
However, the business must delete personal data when it’s no longer needed for that same purpose.
For this reason, employers should evaluate how the GDPR affects their personal data processing practices, policies and procedures.
In particular, employers should consider whether they’ve obtained consent for a specific purpose and delineate when and how this consent may lapse.
How to prepare for the GDPR:
The GDPR expands the definition of personal data and the rights of data subjects, making it difficult to determine your requirements.
Here’s 4 steps to prepare for the GDPR:
- Conduct a data audit across your entire organization. Determine what information is collected across all your organization’s departments and operations.
- Determine how the data is processed, stored and retained. Identify which of the GDPR’s six lawful bases your business uses to collect data, where data is stored, the recordkeeping process for data use and your business’s policy on data retention.
- Examine your vendors’ and partners’ data management practices. Make sure that business partners such as cloud service providers, payment processors and marketing firms are ready to comply with the GDPR. Even if your own data protection measures are in place, you can still be held partially liable for a vendor’s failure to comply.
- Create a plan that accounts for the GDPR’s requirements on consent, data subjects’ rights and breach notification. Meet with management, IT, legal teams and other stakeholders to create a GDPR compliance plan that’s unique to your business. Keep in mind that your plan should address how your business will collect and record data users’ consent to process information, comply with requests to delete or transfer data, and report data breaches to supervisory authorities.
For more information on protecting your business and ensuring compliance, contact us at (330) 334-1561 or email firstname.lastname@example.org.
Interested in learning more about the GDPR? Download our free infographic that covers the main points of the GDPR.
This article was adapted from Zywave's Risk Insights: EU General Data Protection Regulation. This is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.