If you own or work for a company that does business with anyone who is in the European Union (EU), you’ve hopefully already heard a bit about the EU General Data Protection Regulation (GDPR).
In short, the GDPR overview, which has been in the works since 2012, will replace the Data Protection Directive 95/46/EC and improve data privacy throughout the EU for all its citizens. Whether you have current and repeat transactions with the EU or you may in the future, here are ten facts you need to know about the GDPR requirements before it goes into effect May 2018.
1. If You Own or Operate a Business, the GDPR Regulation Applies to You
Many business owners throughout the U.S. and other countries might assume since they aren’t based out of the European Union that the GDPR principles don't apply to them. If your company processes personal data of any EU citizens, regardless of where you’re located, you are expected to follow all of the General Data Protection Regulation.
How do you know if your company processes personal data? If you offer goods or services to customers or business in the EU, you’re dealing with personal data and must be GDPR compliant. The GDPR greatly affects your internal communications
so it’s critical to implement a compliant platform
now so personal data remains secure.
2. Controllers and Processors Have Specific GDPR Regulation Responsibilities
According to Article 4 of the GDPR overview
, if you are a ‘controller’ you are a person, public authority, agency, or another body that “determines the purposes and means of processing the personal data” of customers and businesses.
A ‘processor’ is in charge of processing the personal data on behalf of the controller. While the processor may seem like a “middleman,” according to the GDPR principles, there will be legal obligations on a processor to maintain records of personal data and to improve the overall security of and processing of the data.
3. You Must Appoint a Data Protection Officer
The GDPR overview requires all organizations that do large-scale processing of particular categories of data, that does widespread monitoring such as behavior tracking, or is a public authority, appoint a Data Protection Officer (DPO) to oversee the processing and follow protocol.
4. The Definition of “Personal Data” Will Change
When dealing with business transactions, we may assume that personal data is strictly related to account or ID numbers, as well as addresses and birthdate. While this type of personal data should be kept secure, the GDPR regulation is expanding the definition of personal data.
Now, personal data will be related to “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.” Social, mental, economic, cultural, and even genetic information will now be considered personal data to be protected by GDPR requirements.
5. There’s a Deadline for GDPR Compliance
Once you determine whether or not the GDPR overview applies to you (remember, it will affect any company that has relations with the EU), you have until May 25, 2018 to be fully compliant.
6. There are Consequences for Non-Compliance
Anyone who should be compliant with the GDPR regulation and isn’t by the deadline can face a fine which may range from 20 million euros to 4% of the company’s annual global turnover.
GDPR fines may vary depending on how data is “mishandled,” which may (but are not limited to) include the failure to report a data breach, the failure to build in privacy by design, and the unauthorized transfer of personal data. Make sure to only use GDPR compliant means of communication, including with a team app if you use one as part of your internal communication. Some popular messaging apps like WhatsApp don’t meet the requirements
and can result in these hefty fines.
7. Need a Clear Explanation for Collecting Personal Data
Many companies collect personal data without the other person knowing. Even if the individual whose data is being collected doesn’t mind, there needs to be a clear explanation of why and how the information is used. In accordance with GDPR principles, explicit consent is also a must. Make sure you are well-aware of what business communications tools both your own workforce and partner workforce's use, such as a team app, to ensure it's GDPR compliant.
8. A Breach Must be Reported Within 72 Hours
Any breach that threatens the privacy of an individual’s data must be reported within 72 hours from when the breach is first detected. If GDPR requirements determine there’s a delay in reporting, a company or organization may be fined.
9. Victims Must be Alerted to Any Risks
If a breach occurs, the company must contact the affected individuals immediately. According to GDPR principles, it’s not appropriate or “enough” to release the news of a breach through a press release, on a website, or through the use of social media.
10. GDPR Compliance May Differ from One Company to the Next
GDPR compliance is likely to be quite different from one organization or company to the next. Compliance has a lot to do with a company size, the personal data that is collected via internal communications methods like a team app, as well as the goods and services offered. The best way to ensure your company complies with GDPR regulation by May 25, 2018, is to follow a GDPR checklist
; it’s not too late to prepare yourself for the changes.
Get a free demo of Beekeeper’s GDPR-compliant internal communications platform to make sure you aren’t at risk.