The General Data Protection Regulation or GDPR is a regulation of the European Union (EU) that was agreed upon on April 27, 2016. It will be enforced on May 25, 2018. Though GDPR is an EU legislation, non-EU institutions are still affected and must be aware of it to avoid violating it as non-compliance can have consequences. If your institution has offices in an EU country or processes the personal data of a person living in an EU country, your institution must follow the GDPR. If your business operates or offers services via the internet, it is very likely that you need to comply with the GDPR.
The organizations that need to align their practices with GDPR are those located within the EU. If your organization is located in the following EU member states, you need to follow the GDPR.
- Republic of Cyprus
- Czech Republic
- United Kingdom
The impact of GDPR will be global. EU countries are expected to see the most change and are already preparing for it. But non-EU countries will likely see greater disruption with the introduction of GDPR. Many organizations outside of the EU are still not fully aware of the coming change. Moreover, there is a difference in the expectation of privacy between EU and non-EU societies. The United States, for example, has privacy laws that protect “sensitive” data. The Health Insurance Portability and Accountability Act (HIPAA) regulates healthcare information. The Gramm-Leach Bliley Act regulates financial information. But when it comes to “general” data, there’s no specific regulation for it. Because of the GDPR, U.S. entities may need to put in place several procedures to handle personal information correctly depending if it is from the EU or not.
Implementing systems to comply with the GDPR may be too complex and too costly for US based organizations and may discourage them to offer their services to the EU. One strategy that US based organizations can do is to protect “general” data in the same way as “sensitive” data. This allows the organization to use the same system while complying with both HIPAA and GDPR, for example. It is not clear yet if US organizations will try this approach.
The GDPR imposes strict controls on transferring data to ensure that every person in the EU enjoy the same protection regardless if the data is stored or processed in non-EU countries or international organizations. Data transfer is only allowed if the EU Commission has determined that the transfer destination or receiving entity meets an adequate level of protection. The EU Commission reviews permissions and adherence to standards every four years.
An organization that violates the GDPR could get the maximum penalty of €20 million, or 4% of annual turnover, whichever is higher. In addition, non-compliance may result to sanctions and losing the business. Organizations need to audit their systems of data collection, processing and storage and make sure they are GDPR compliant by May 25, 2018.