What is GDPR and how does it affect companies?

As of 25th May this year, a new framework for the European consumer data protection came into force, aimed at driving radical changes in everything from technology to advertising and medicine to banking. This regulation sets a new standard for data collection, storage, and usage among all businesses (no matter their size, industry or country of origin) handling consumer information of EU citizens.

The GDPR main objectives are to give citizens back personal control of their data and to simplify regulation for businesses, that is, change the way how companies handle consumer privacy, and provide people new rights to access and control their own data on the internet.

However, now that the regulations carry the force of law, businesses could face steep fines for failure to comply, especially because the GDPR leaves much to interpretation. For example, says that companies must provide a “reasonable” level of protection for personal data, but doesn’t outline what this definition constitutes, which gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.

Sadly, many companies thought this change was just about sending a couple of e-mails saying “the privacy policy has changed” and “just click here so we can stay in touch“, which hindered their response plans to incidents. For this reason, we’ve compiled all the GDPR information you need to know, along with some tips to meet its requirements.

What’s GDPR?

GDPR is a series of laws spelling out the digital rights for citizens of the EU. The European Parliament first proposed the GDPR in 2012 as a way to create consistent data privacy laws in the EU member states, replacing an outdated directive from 1995, and an even older set of principles called the Fair Information Practices.

GDPR represents one of the most robust data privacy laws in the world and its provisions are consistent across all 28 EU member states. This means companies have just one standard to meet, which is quite high and will require most of them to make a large investment to comply and manage.

The final text of GDPR includes the following requirements:

• Anyone involved in processing EU citizens data, can be held liable for a breach.
•  When a consumer no longer wants their data to be processed by a company, the data must be deleted (provided there are no legitimate estates for retaining it).
• Companies that process sensitive data on a large scale must appoint a data protection officer.
• Companies should notify the relevant national supervisory authority of serious data breaches as soon as possible.
• Parental consent is required for children less than 16 years to use social media.
• There will be a single supervisory authority for data protection claims, with the intention of streamlining compliance for businesses.
• People have full and absolute right to data portability, to allow them to easily transfer their personal information between services.

When this regulation was implemented?

The GDPR was proposed by first time in 2012, adopted in April 2016 and finally came into force on 25th May of this current year. If you’re new to the GDPR game, this was the first day when the new regulation could officially be enforced in the EU against any organization collecting personal data and failing to comply with the new rules.

In the days since GDPR Day and the start of its enforcement, many companies (including the big ones) have failed in some way to comply with the new regulations, especially those that have attempted to comply in a way that avoids the consumer protections.

If your organization has taken the necessary steps to meet in good faith and cares about the personal data of its customers, employees and/or anyone else whose data it collects, it’d probably be safe. However, if you only make an effort to just apparently comply with GDPR by subverting privacy regulation, you should be concerned.

How does GDPR affect companies?

At first glance, it may seem that the GDPR only applies to global corporations that conduct several businesses overseas. This is just a false perception that could harm many small businesses.

No matter the size of your organization if you collect or process personal data on citizens in the European Union (from email addresses to medical records) you’re legally required to comply with GDPR regulations, even if you don’t have a business presence within the EU.

If you don’t want to be negatively affected by the change, you need to understand your responsibilities in complying with the regulations. The specific criteria for companies required to obey are:

• Physical presence in an EU country
• No physical presence in the EU, but it processes and/or stores personal data of European citizens.
• It has more than 250 employees
• Less than 250 employees, but its data-processing impact the rights of data subjects, or include certain types of sensitive personal consumer’s information.
• Companies need to put procedures and systems in place to ensure that each of the GDPR clauses are correctly fulfilled, validating how any personal data is collected, stored, processed and shared.

Some surveys on which industries would be most affected by GDPR indicate the following order:

-Technology sector (53%)

-Online retailers (45%)

-Software companies (44%)

-Financial services (37%)

-Online services/SaaS (34%)

-Retail/consumer packaged goods (33%)

Do US companies need to be GDPR compliant?

We already know that most multinational and EU-based companies should guarantee compliance with the GDPR. But what about if you’re a US-based company with no direct business operations in any one of the 28 member states of the European Union? Do you think you’re free from the scope of GDPR? Let’s analyze this.

In short, the main goal of the GDPR is to protect the “personal data” of EU citizens, including how the data is collected, stored, processed and destroyed. According to GDPR, “personal data” refers to any information relating to an identified or identifiable natural person (IP addresses, cookie strings, social media posts, online contacts and mobile device IDs)

Therefore, now even if a US-based business has no employees or offices within the limits of the EU, the GDPR may still apply. This includes industries such as e-commerce, logistics, software services, travel and hospitality. So if your company has a strong internet presence, you should evaluate if your business activity falls within the territorial scope of the GDPR.

Are there any penalties for non-compliance?

The penalties and fines imposed by the GDPR on companies that fail to comply are calculated based on the company’s global annual turnover of preceding financial year. They can reach up to 4% or €20 million (whichever is greater) and 2% or €10 million (whichever is greater) for less important infractions. According to reports more than 50% of the companies within the GDPR scope will not be compliant by the end of 2018