General Data Protection Regulation (GDPR) – the EU Data Protection Compliance
The enforcement of European Union’s new data protection law – General Data Protection Regulation (GDPR) has not only reshaped the data protection landscape in EU, but also has an impact outside of Europe, especially for companies that do business in the EU (even if they have no office there) or have EU residents as their customers. The GDPR came into force on 25th May 2018, introducing a stringent personal data protection than before, as well as stipulating the responsibilities of businesses in relation to how businesses process and handle data.
What is the General Data Protection Regulation (GDPR)?
Before we dive in how to stay GDPR-compliant, let us have a look at what exactly is GDPR?
General Data Protection Regulation (GDPR), as the name implies, is the single uniform data protection law in EU that suits the digital age. The GDPR covers individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of personal data. Unlike the previous data protection law, the GDPR is extra-territorial in nature – it applies not just to organisations within the EU but also organisations outside the EU businesses that provide goods and services to EU residents, or that collect and analyze data belong to EU residents.
As world’s largest trading block, EU is a trading partner of most countries. Therefore, the GDPR’s wider scope means it has affected many businesses worldwide. Organizations outside Europe need stay GDPR-compliant if they wish to operate in EU member states either directly or as a third party for others. The violation of GDPR will lead to a whopping €20 mil (RM101.23 mil) fines or 4% of the global turnover of the company, whichever is higher.
A Quick Guide to Understand GDPR
1. Brief introduction
- GDPR is a European Union (EU) data protection regulation
- Abrogate the Data Protection Directive (95/46/EC) from 1995
- Stringent data privacy regulation that expands the scope of personal information identifiers
- A uniform data protection legislation across EU
- Requires no local implementing legislation
- Gives individuals back control of their personal data
- simplify the regulatory environment for international business
2. Wider scope of ‘personal data’
Personal data now covers genetic data, profiling information, IP address, and data in cookies.
3. Non-EU impact
GDPR applies to anywhere where EU citizen’s personal data is processed or monitored.
4. Data Protection Officer (DPO)
The appointment of a qualified DPO (who reports directly to senior management) is a mandatory requirement.
5. Data Protection Impact Assessments (DPIA)
GDPR mandates that all organisations must carry out the DPIA, depending on the privacy risks and impact of the processing operation.
political opinions, racial information, and sexual orientation.
Are your company GDPR-compliant?
The extra-territorial nature of GDPR has created a far-reaching implication for all companies that trade or do business in/outside EU. Here are steps you can take to make sure your company is GDPR-compliant:
1. Do a Data Protection Impact Analysis
Start by reviewing the systems you already have in place and troubleshoot the weak spots to enhance data protection and security.
2. Have a compliance officer
The appointment of Data Protection Officer (DPO) will help your business/company to keep up with the constant changes in data privacy laws as well as address issues of data protection.
3. Understand and categorize your data
Sort out which of your business’s data will be impacted by GDPR – the data could be found in contracts, HR documents, financial records or purchase order history. On top of that, identify where this data is kept, how it is processed, and who has access to it.
What if we don’t comply?
The consequence of non-compliance will land a big fine at your doorstep. Any breach/violation of the GDPR could result in sky-high fines. The fine amount is not the only risk of GDPR fines. The tarnished reputation, on the other hand, is another risk of GDPR fines that will portray your company as someone irresponsible and unprofessional.