GDPR - But I am a US company?
Are you ready for GDPR? Do you need to be ready? GDPR (General Data Protection Regulation) is the EU’s new Data Protection regulation that goes into effect May 25th, 2018. It is intended to protect EU Citizens personal information from misuse and provide the citizen with more say in how it is used.Originally developed to replace Data Protection Directive 95/46/EC, it was designed to “harmonize” the privacy laws across the EU. The GDPR will not only apply to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. This includes organizations which have EU citizens as employees.
‘Personal data’ is defined as any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Due to the broad focus on all EU citizens, even as a US company it is important that the impact of GDPR is understood. The fines for non-compliance can be up to €20MM or 4% of annual global revenue.
The assessment of impact starts with understanding of your EU citizen data and how you store, use and protect it. There are also requirements in the regulation such as “Right to be forgotten” and 72 hour breach notification that can affect many processes in your organization. A comprehensive assessment of GDPR impact should include Information Security standards and controls, Business processes and Data governance controls and processes.
The compliance date is around the corner, so if you feel that you have GDPR requirements and have not started to address them, do not delay any further.