What Is GDPR?
The European Union General Data Protection Regulation (GDPR), — described as “the most important change in data privacy regulation in 20 years” — becomes enforceable by law on May 25. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Organizations located within the EU that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing within the region are expected to comply with the new regulations.
Notification Requirements under GDPR
Under GDPR, companies can expect supervisors and data subjects to receive accelerated notification timing within 72 hours that officials first become aware of a data breach. The chart below outlines these requirements:
Potential consequences for non-compliance with these GDPR notification requirements not only include hefty financial fines — up to €10 million or up to 2 percent of the total worldwide turnover of the preceding year — but also potentially significant impacts to brand reputation over the long term.
What Can Companies Do to Get Ready?
Gartner predicts only 50 percent of companies impacted by GDPR will be compliant by the end of 2018. So, what can organizations do to get ready?
Focus on Breach Prevention
Review and Enhance Your Plans
Educate and Equip Employees
Test and Train the Team
Andy Liuzzi is an executive vice president, Crisis & Risk Management, Chicago.