The clock’s ticking down for the EU’s General Data Protection Regulation (GDPR)—which goes into effect on May 25, 2018—but despite the impending deadline, there are still quite a few misconceptions around the regulation and its fine print. To help you make sense of the legislation (which is composed of 99 dense articles), we’ve created a quick and handy guide, which covers the basics of GDPR and how the new set of rules will impact the B2B companies that do business in the EU.
Four years in the making, GDPR aims to give EU citizens more control over their personal data and requires the companies that collect, process and store that data to comply with a set of stringent rules. Among the provisions, the rules give EU citizens the ability to ask companies to remove certain online data about them. For the companies that don’t comply, the EU is doling out fines that can go up to 20 million Euros or 4 percent of their annual revenue (depending on whichever is greater).
As the GDPR comes into effect, it brings with it a wave of change around how companies handle personal information, including the following:
Consent: The GDPR changes the requirements for consent and makes it easier to understand, accessible and easy to withdraw.
Data Subject Access Rights: The GDPR increases data subject access rights with regards to accessibility, data portability and data erasure—which is also known as the right to be forgotten.
Breach Notification: The GDPR shortens the breach notification timeline to 72 hours for any breach which may result in a risk for the rights and freedoms of individuals.
Data Protection Officers (DPO): The GDPR requires many organizations to appoint a DPO or expert on data protection law, who will be required to undertake a series of compliance oversight actions.
Privacy by Design: The GDPR requires implementation of privacy by design, including the use of data protection impact assessments (DPIAs) and applying the principle of data minimization.
The GDPR impacts all companies that process the personal data of EU individuals, regardless of whether it’s customer or employee data. As a result, B2B companies have to take a set of actionable steps for internal compliance and document that compliance. In addition to complying with the new set of rules, B2B companies also have to be ready for audits by both customers and regulators.
The road to GDPR compliance is a long one, but there are some steps companies can take to help guide them towards achieving compliance:
DISCLAIMER: This blog post and the materials on this website are not legal advice for compliance with the law. This article is meant to provide general background information to help you better understand the law and is for informational purposes only. If you have questions about your specific circumstances or a particular issue, you should consult your attorney. You may not rely on this article as legal advice or as a recommendation of a specific legal understanding.