David Kellett is the owner of K.I. Computing in Powell, WY.
First, I want to start by giving my sincere condolences to the victims of the recent terror attack in New York City that claimed the lives of eight people. I pray that the families of all the victims receive comfort and guidance to help them through these troubling times.
With that said, let’s discuss the GDPR legislation from the European Union that takes effect in May 2018. This piece of legislation will affect all businesses that do business with any European Union member nation the United States and the EU have which allow the parts of the GDPR to be enforced on United States companies.
What is the GDPR?
The GDPR, or the General Data Protection Regulation, is Regulation (EU) 2016/679. It is designed to strengthen and unify data protection for European Union Citizens. It addresses the export of EU Citizens personal data outside the EU.
Its primary focus is to give EU Citizens control over their personal data. It is to simplify the regulatory environment for international business. It replaces the Data Protection Directive of 1995. It will change the conversation on privacy protection. If your company deals with sensitive data you need to be aware of this.
What does the GDPR change?
Any organization that provides goods and services to EU member nations Citizens, even if it is for free, non-profits beware, are subject to the GDPR. All of you must comply with the GDPR or face the consequences. Cloud based companies are especially susceptible to the GDPR.
What can you expect?
When the GDPR goes into effect you are required to be compliant on day one. Employee awareness training is mandatory. You are supposed to have a Data Protection Officer (DPO) who is to be responsible for this training. They are also responsible for periodic audits to demonstrate that you are in compliance. So far, specific requirements for training content has not been given.
All of your employees are to be trained, whether they have access to private information or not. So long as an employee can possibly download a virus they must be trained.
Data protecting, that is designed well will be required. You have to have sound technical measures in place. They must be built into new products and services. They want data collection processes to collect the as little data as possible. No more than is necessary to do business.
The DPO and IT must coordinate the implementation of measures to reach a level of security that is appropriate for the potential risks. They must implement data breach policies that passes on data breach information. You will be required to report a data breach within 72 hours or face fines. You are required to report these data breaches unless it does not cause a risk to the rights and freedoms of any individual.
The DPO is to ensure that your business is compliant with the new EU rules and regulations even if you do not have operations in the EU. The DPO is to operate independently of your organization. There will be even more requirements for companies that process large batches of information.
What are the Fines?
In the case of non-compliance or a data breach that is not reported on time the fines that you will face are ridiculous. You will be fined $22 million or 4% of your total profit for the preceding year. Whichever is greater.
What’s the difference between GDPR and other EU – US regulatory statutes?
It is not the same as the Privacy Shield, Safe Harbor Framework, or the Data Protection Directive. It is meant to be the successor of the Data Protection Directive and it replaces the Safe Harbor agreement. Its aim is to protect the personal data of Citizens of the EU. It is meant to protect their data when it is transferred between the EU nations and the United States. It is also meant to ensure that businesses dealing with this personal information are real, legitimate, and doing all that they can to protect a client’s data. Therefore; it is broader in scope than any previous legislation.
The GDPR is going to put more pressure on businesses here in America. It will force them to hire organizations that train their employees on cyber security. It will force them to hire either organizations or individuals that can act as DPOs. They will have to assure that these people can, and do, work along with their IT personnel to assure compliance. There will be no exceptions to this policy. If you fail to do proper audits or training you will face the gun of United States compliance with the EU in implementing these protocols.
You need to plan for these events and have the proper policies in place. You should do this before March 25, 2018. Please feel free to contact us for more information. We want to make sure you and your company are protected from repercussions that these new regulations require.
434 S. Gilbert St.
Powell, WY 82435