What is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union law implemented on May 25, 2018, requiring organizations to safeguard personal data and uphold the privacy rights of anyone in the EU territory. The regulation includes seven principles of data protection that must be implemented and eight privacy rights that must be facilitated. It also empowers member state-level data protection authorities to enforce the GDPR with sanctions and fines. The GDPR replaced the 1995 Data Protection Directive, which created a country-by-country patchwork of data protection laws. Passed in European Parliament by overwhelming majority, GDPR unifies the EU under a single data protection authority. GDPR is applicable to ALL EU companies, regardless of private, for-profit, non-profit status.

Who must comply with the GDPR?

Any organization that ‘processes’ the personal data of individuals in the EU must comply with the GDPR, even if the organization is not physically located in the EU. Organizations operating within North America (Canada, Mexico, United States), South America, China, Asia-Pacific and more, that process personal data of data subjects within the EU, are all subject to GDPR compliance.

‘Processes/processing’ covers 99.9% aspects related to digital data: analysis, collection, storage, transmission and more.

‘Personal data’ is considered any information directly associated to the individual, such as address, email, gender, IP addresses, name(s), political affiliation, telephone, etc. Even if an organization is not connected to the EU itself but processes the personal data of people doing business or residing in the EU, must be compliant.

What are the GDPR fines?

The GDPR enables data protection authorities in each EU country to issue sanctions and fines to organizations found in violation, with a maximum per violation (with no defined limitations on maximum # of violations per company/year) penalty is €20 million or 4% of global revenue, whichever is higher. GDPR data protection authorities also can issue additional sanctions above and beyond just a fine (data processing limitations, public reprimand, etc.).

How do I comply with the GDPR?

Organizations can become GDPR-compliant by implementing technical and operational safeguards to protect personal data they control. Conduct an initial GDPR assessment to determine what personal data is being managed by location and overall data security. You must also adhere to the GDPR privacy principles outlined including, but not limited to, obtaining consent and ensuring data portability. You may also be required to appoint a Data Protection Officer and update your privacy policy notices, along with other organizational data privacy measures.

What is a Data Protection Officer?

A Data Protection Officer (DPO) is an individual within the organization who is responsible for understanding the GDPR and ensuring organizational compliance. The DPO is the main point of contact for the EU data protection authority and will have both legal and technical knowledge for procedural compliance application within the organization. An organizational DPO is a required resource for GDPR compliance.

Does the GDPR require encryption?

The GDPR requires organizations to implement organizational technical measures that ensure personal data security that may include data encryption options, including digital (email) correspondence.