Are you ready for GDPR?

The EU symbol, with people standing behind it.

Posted on Wednesday, March 29, 2017

US businesses might have been forgiven for thinking that the worst of their European data problems had been solved with the introduction of the Privacy Shield agreement. Unfortunately, everything is about to change again.

Introducing the General Data Protection Regulation (GDPR)

As part of their continued efforts to protect citizens, EU member states are set to implement the GDPR in May 2018. We are currently half way through a two-year transition phase intended to give businesses breathing space while they improve strengthen their safeguards.

For many US businesses, the GDPR would be easy to ignore – after all, it only applies to EU member states, right? Unfortunately, things are not that simple.

Under GDPR, any business holding EU citizen’s personal data is bound by its terms. Including those based in the US.

It can’t be that bad, can it?

Punishments for breaking data protection regulations are varied and relatively ineffective across the world – one of the reasons the GDPR has been used to enforce a common standard across the EU. Under the new regulation, non-compliant businesses risk fines of up to €20,000,000 or 4 percent of annual turnover, whichever is the greater.

Clearly, fines of that magnitude are out of the question for most businesses, so what do they have to do to demonstrate compliance?

Your basic responsibilities

Most of the new compliance obligations are common sense. Your business is expected to:

  • Include data protection measures at the design phase of all business processes, products, and services.
  • Set the default security for any application to “very high”.
  • Delete customer from your systems if they ask you to (under certain circumstances).
  • Provide an electronic copy of individual records for transfer to another service if requested.

Organizations applying algorithmic decision-making (like insurers) are also expected to provide an appeals process to affected customers.

Time to act

With GDPR going live next year, any company handling personal data of EU citizens need to get their operations in order. After all, the cost of negligence simply cannot be absorbed by most businesses.