The GDPR (General Data Protection Regulation) is a European regulation intended to increase data protection for its citizens. Originally announced in 2016, the deadline to comply is May 25, 2018. GDPR replaces the 1995 Data Protection Directive and is widely viewed as a best practice for enforcing individuals’ data privacy rights.
The GDPR applies to organizations in the EU and also includes companies located around the world who are conducting business in the EU. In other words, this is not solely a European regulation. GDPR extends to any company, anywhere in the world, who is conducting business with European companies or directly with European citizens, regardless of their physical location. Any company that controls or processes personal data for citizens of the EU must comply with this data privacy regulation. The fact that company location no longer matters is one of the most significant changes from previous data protection guidance.
As of May 25, 2018, regulators will be empowered to enforce the regulation and impose penalties or fines to organizations not in compliance. Note that the GDPR is a mandate, not a directive as was the previous Data Protection Directive. Consequences for non-compliance could result in fines ranging up to 4% of annual global turnover or €20 Million, whichever is higher.
GDPR provisions apply to all 28 EU member states creating a single standard to which European companies must comply. An important fact within the GDPR is that the regulation holds data processors liable for breaches and non-compliance in addition to the controller of the data. Meaning, it’s possible for both the company that controls the data and its processing partner, such as a cloud storage provider, to be liable for penalties or fines regardless of which entity is actually at fault.
Another important point is that the GDPR lacks clarity around the definition of “protection” for personal data. The regulation states that companies must provide a “reasonable” level of protection for personal data; however, the vagueness of the word reasonable leaves a lot of room for interpretation. This grey area will give regulators some freedom when it comes to assessing fines for data breaches and non-compliance, according to a CSO Online article. It may also create inconsistencies in enforcement.
What to Expect After May 25, 2018
It is yet to be seen how quickly regulators will levy major fines; however, it appears that they will be willing to work with organizations that can prove they are striving for compliance. As long as a company is putting forth ‘Good Faith’ efforts, they could benefit from reduced or postponed fines. Penalties will likely be reserved for companies that blatantly disregard the regulation or fail to comply after multiple warnings. If your company has not yet reached compliance, it is advised that you create a plan to document your progress.
According to an Information Age article, fines, cyber criminal attacks and extortion rates may rise as a result of the new GDPR mandate. The stakes will be higher than ever between attackers, with the ability to acquire and hold captive EU citizens’ personal data and the companies that control the data.
There will undoubtedly be a period of adjustment as companies strive to reach and maintain compliance. Regulators will need time to find common ground for assessing penalties, and unfortunately, cyber-attackers will dedicate time toward creating new methods of corruption. Fortunately, this adjustment period will likely result in a built-in grace period while all parties involved sort out the new world of EU data protection.
Learn more about The Impact of the EU Data Protection Regulation (GDPR) in 2018, in a recent post from Telmo Silva, ClicData CEO.