The EU General Data Protection Regulation (GDPR) was enacted to protect the privacy rights of EU Residents.
The EU General Data Protection Regulation was enacted to protect the privacy rights of EU Residents. GDPR represents a significant risk to US organizations who market products or services to European Union residents, or who have prior existing relationships with EU customers. In fact, if your organization processes data on behalf of a client that has European customers, you must comply with GDPR.
- Effective May 25, 2018
- Extends privacy protections and rights of EU residents beyond EU boundaries
- Issues noncompliance penalties, which can total 4% of annual revenue or €20 Million (whichever is greater)
- Replaces the EU Data Protection Directive
There are major differences between GDPR and any previous regulation impacting American business.
- The definition of personal data is significantly broader than American PII or ePHI. Personal data includes email addresses, web browsing or shopping history (cookies) and location identifiers.
- GDPR defines strict rules for the processing and storing of EU citizens’ personal data
- Personal data must be tokenized (pseudonymization). Individual identifiers (personal data components) must be stored separately. The process of pseudonymization differs from US Anonymization methods prescribed by HIPAA and GLBA.
- If your organization suffers a data breach, in which personal data was accessed, you must report the Incident to EU Authorities and the affected Data Subjects within 72 hours of detection.
- You should revise your Incident Response Plans to account for this disclosure schedule.
- Broader individual protections than U.S. Privacy Laws.
- Data Subjects must provide explicit consent (Opt In) before your organization can process their data. In the US, most collected consent is implicit, and organizations offer the right to Opt Out.
- Data Subjects can also opt out at any time, and can demand to be forgotten. Can your systems forget a Data Subject on demand?
- Your organization must provide Privacy Statements and mechanisms for Data Subjects to grant consent, in clear language and without repercussion.
Do you need help with a strategy to comply with GDPR? CyberSafe 360 can help.