What You Should Know:
- The General Data Protection Regulation (GDPR) is the European Union’s extensive effort to give people more control over how organizations use their data. A move that is over four years in the making, GDPR will replace the Data Protection Act of 1998, ensure balanced data protection law across the European Union, and launch heavy penalties against businesses that are not GDPR compliant.
- GDPR will impact any business that uses the personal data of European Union citizens, even if those businesses are not actually based in the European Union themselves.
- GDPR is driven by the European Union’s desire to align data protection law with how people’s data is being used. The European Union also wants to ensure that businesses are well-informed regarding the data protection laws that dictate what they can and cannot do with user data.
- GDPR will automatically go into effect on May 25, 2018, and on this date companies must be able to show their compliance.
- A summary of GDPR compliance measures that businesses must take includes: processing user data only for authorized purposes; ensuring data accuracy and integrity; and minimizing the exposure of user identities. Businesses must also implement security as a contractual requirement, based on risk assessment and encryption, and safeguards to keep data for additional processing. GDPR further mandates a right to erasure, the conduction of a full risk assessment, and a 72-hour notification period should a breach occur, among other terms.
Level recommends a prompt review of your business’s European Union activities to evaluate if/how GDPR applies to your business. It is recommended that all businesses create data maps, which show the systems that collect, process, and/or store personal data. Independent of the GDPR, all businesses should be aware of its data processing activities and build an inventory showing who, what, where, why, and how.
Sources and Related Articles: