GDPR is on everyone’s minds. If you don’t already have the required security tools and controls in place, your organization will need to start planning now to achieve compliance and mitigate the risk of high fines for failing to comply. The deadline for GDPR is May 25, 2018.
- Who does GDPR apply to?
The GDPR replaces the 1995 EU Data Protection Directive which generally did not regulate businesses based outside the EU. However, now even if a US-based business has no employees or offices within the boundaries of the EU, the GDPR may still apply.
Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed. This is the case where the processing relates to the offering of good or services or the monitoring of behavior that takes place in the EU.
Thus, the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR.
- What happens when you fail to comply?
The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements. So, for example, if a company fails to report a breach to a data regulator within 72 hours, as required under Article 33 of the GDPR, it could pay a fine of the greater of 2% of its global revenue or €10 million.
A report by Gartner predicted that more than 50% of companies within the scope of the GDPR will not be compliant by the end of 2018. Considering that one of the main objectives of the GDPR was to expand the territorial scope, companies based outside the EU should not be surprised to find that they are a particular target of data regulators.