The GDPR Buzz

It’s been a little over a week since GDPR dropped, so we figured it’s a good time to break it down for you, F&C style. Curious what everyone has been buzzing about? We’ve got you, boo.

What?

The General Data Protection Regulation, or GDPR, is new legislation (similar to the UK’s Data Protection Act) in the EU designed to give people more control over their person data. The primary goal of the GDPR is to simplify the regulatory environment for private citizens and businesses so all can benefit from a healthy digital economy. This initiative involves new laws regarding personal data, privacy, and consent related to social media, banks, retailers, online publications, government, etc. GDPR compliance will involve organizations ensuring that personal data is gathered legally and under strict conditions, while being protected against misuse and exploitation. If organizations don’t do this, they will incur penalties. Who? If you operate in the EU OR offer goods or services to people in the EU, this applies to you. If you haven’t looked at GDPR compliance yet, now is the time. (Especially since the compliance deadline was May 25!)

Why?

We hear about data breaches all too often. After four years of preparation and debate, the European Parliament approved GDPR in April 2016 with the goal of reducing breaches and giving citizens more control over their personal data. Under GDPR, consumers have a right to know when their data has been hacked and breaches must be reported within 72 hours.

How?

The legislation applies to two types of data-handlers, processors and controllers. From Article 4 of GDPR: A controller is "person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data", while the processor is "person, public authority, agency or other body which processes personal data on behalf of the controller".

Mishandling of data or an outright failure to comply with GDPR can result in fines ranging from 10 million euros (~$12M...ouch) to 4% of the company’s annual global turnover. The maximum fine is for infringements of the rights of the data subjects, unauthorized international transfer of personal data, and failure to put procedures in place for or ignoring subject access requests for data. Lower fines are for failure to report a data breach and failure to build in privacy by design.

Whew. That’s heavy, but you get the gist. Most organizations should already have good governance measures in place, but this has resulted in new policies and procedures related to data. Cue privacy policy notifications flooding your inbox from any company you ever once subscribed to or shopped from...

Do you operate in the EU or offer products or services to those in the EU? If so, we’d love to hear about how you’ve tackled GDPR in the comments below!