What is the General Data Protection Regulation (GDPR)?
The GDPR is the European Union’s new data protection law. It replaces the Data Protection Directive, which has been in effect since 1995.
While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle, or analyze personal data. The GDPR also gives national regulators new powers to impose significant fines on organizations that breach the law.
When does the GDPR take effect?
The GDPR takes effect on May 25, 2018. The GDPR actually became law in April 2016, but given the significant changes some organizations will need to make to align with the regulation, a two-year transition period was included. Organizations should not expect any grace period from regulators beyond May 25, 2018. Some EU member state regulators have already gone on record to say there will be no enforcement holiday for organizations that fail to comply.
What are the main requirements of the GDPR?
The GDPR imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles:
- Transparency, fairness, and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a “lawful basis” to process that data.
- Limiting the processing of personal data to specified, explicit, and legitimate purposes. You will not be able to re-use or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected.
- Minimizing the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
- Ensuring the accuracy of personal data and enabling it to be erased or rectified. You will need to take steps to ensure that the personal data you hold is accurate and can be corrected if errors occur.
- Limiting the storage of personal data. You will need to ensure that you retain personal data only for as long as necessary to achieve the purposes for which the data was collected.
- Ensuring security, integrity, and confidentiality of personal data. Your organization must take steps to keep personal data secure through technical and organizational security measures
How will the GDPR affect my company?
The GDPR contains many requirements about how you collect, store, and use personal information. This means not only how you identify and secure the personal data in your systems but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.
Given how much is involved, you should not wait until the regulation takes effect to prepare. You need to begin reviewing your privacy and data management practices now. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm.