What is GDPR?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. After four years of preparation and debate the GDPR was finally approved by the EU Parliament on April 14, 2016. Enforcement date: May 25, 2018 - at which time those organizations in non-compliance may face heavy fines.
What Geographical regions are affected?
The European Union (EU) is most directly impacted. However, all enterprises doing business with any enterprise in the EU, and which handle data falling under the provisions of GDPR, are responsible to the EU enterprise for meeting the GDPR requirements.
What are the penalties for violations?
The penalties are the greater of €20 million per violation or 4% of worldwide revenues.
While the EU enforcement body is not able to directly reach US enterprises with penalties, EU enterprises are typically requiring contract addenda to cover the GDPR requirements which may also include indemnification provisions.
can they be enforced in the u.s?
It addresses personal data which is defined as any information related to a natural person or “Data Subject” that can be used to directly or indirectly identify the person. It can be, for example, a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
what areas of concern does the regulation address?
Actions might include appointment of a Data Protection Officer, procedure and systems changes to bring your practices and data processes into compliance with the regulation, and complete and accessible documentation of the steps taken and the current status of procedures, systems and how they relate to specific articles of the GDPR.
what are examples of actions my company might be required to take?
what if i define gaps between my current systems and the regulation?
The process anticipated by GDPR is an identification of compliance gaps and a documented effort to reduce and then eliminate those gaps prior to the May 25, 2018 deadline. Companies will be required to monitor system changes and keep documentation current. There is no endpoint to GDPR. Documentation platforms that make it easy to track and document changes as they evolve and pivot over time using APIs (Application Programming Interfaces) are optimum.
No, a compliance review resulting in a certification is not part of the regulation. Rather it contemplates the possibility of a compliance audit at any time after the May 25, 2018 deadline.
If we close these gaps do we achieve a one-time certification?
How can I best be prepared for an audit?
Preparation includes two equally important components 1) closing compliance gaps by making any and all needed procedure and systems modifications and 2) constantly and consistently documenting, in detail, the current procedures, systems and data models in a form that internal legal, your EU associated enterprise and the EU auditors can easily access and understand.
The best documentation systems available allow for API connectivity back to the documented systems to reduce the manual work required going forward and to insure current accuracy.