Privacy Is Costly For Companies Under New EU Regulation
Selling overseas or soliciting business in the European Union? You have two weeks to comply with the EU’s new General Data Protection Regulation. Mistakes are costly, so be be ready.
The regulation, effective May 25, was created to provide better data security and privacy protection for EU citizens. GDPR applies to any company or organization that stores the email address or other online identifier of a single EU citizen who resides in the EU, and affects any company or organization that collects or processes personal data of an EU citizen, who is residing in the EU, regardless of the location of the company or where the personal data is stored. Click here to view the full GDPR text.
It’s a detailed and complicated and multilayered process and companies should consult with technical and professional advisers to assess their operations and make changes needed for compliance.
The major requirements of GDPR include:
- EU citizens residing in the EU must consent to the storage and use their personal data. This requires the affirmative action by the individual to give consent. Pre-checked opt-outs are not compliant.
- Individuals who are EU citizens/residents and EU authorities must be notified within 72 hours of discovering a security breach impacting the personal data of such individuals.
EU citizens/residents must be able to receive copies of their digital personal data when requested, as well as a description of where they are stored, their use, and the opportunity to correct them.
- EU citizens/residents have the right to have their personal data deleted and not used or shared.
- GDPR requires that organizations have data privacy controls and security built into products and systems. The maximum fine for infringements is $24 million or 4% of the offender’s worldwide sales for the prior financial year—whichever is greater.