As you might have heard GDPR, General Data Protection Regulation, will, from May 25 2018 onwards, come into force in the EU. The GDPR is a very comprehensive regulation dealing with practically all aspects of privacy data. The regulation is relevant not only for EU companies and public institutions but also outside the EU.
The EU parliament requires all companies managing privacy data of/about EU citizens, regardless of their location, to comply with the regulation. Whether being Amazon, Google, Facebook, or just a small shop from Serbia selling products online, in case any personal data from EU citizens comes into your information systems, you become liable.
And liabilities are substantial. Starting from May 25 2018, the highest penalties in case of GDPR violation, can reach up to 4% of your revenue or 20 m€, whichever comes higher. We don’t expect penalties to exceed a company’s ability to pay, i.e. a small shop will never be penalized with millions of EU, but the new rules enable the Information Commissioners, appointed in each member state, to go after any global company with a legal weapon heavy enough to hurt anyone.
What non EU companies should be aware of is, that if working with EU citizens data any privacy data collection or management should be in compliance with the regulation, just as if the companies were inside EU. In many cases, especially for small companies, this doesn’t mean much, but in some cases, where the business model relies on privacy data collection and management, like marketing profiling, the impact will be substantial.
Compliance is easy for those not collecting privacy data beyond data needed to fulfil a contractual obligation. For all other cases, an undoubted individual consent will be needed, forcing the companies or public institutions to deliver the 6 basic services for the 6 basic rights that all EU citizens have on the basis of the GDPR.
These rights are:
- Right to give or retract consent, by purposes of use
- Right to receive all data relating to him or her
- Right to correct any part of data relating to him or her
- Right to be erased (forgotten)
- Right to move data to another controller
- Data breach notification right – within 72 hours
In case you consider you should perform a self-assessment as to whether you should start preparing to become compliant, we recommend you answer the First Step questionnaire at www.ascaldera.com/gdpr. Ascaldera and Info House are ready to help with any GDPR related topic.