The General Data Protection Regulation or GDPR is a legislation of the European Union (EU) which was approved on April 27, 2016. It is going to be implemented on May 25, 2018. Although GDPR is an EU law, non-EU organizations will still be impacted and should be aware of it in order to avoid violation because non-compliance might have penalties. If your organization has establishments in an EU member state or processes the personal data of an individual residing in an EU member state, your organization is required to follow the GDPR. If your organization operates or provides products and services using the internet, it is quite likely that you should follow the GDPR.
The companies that are required to adjust their practices to comply with the GDPR include those based within the EU. If your company is situated in these EU member states, you have to comply with the GDPR.
Austria, Belgium, Bulgaria, Croatia, Czech Republic, Republic of Cyprus, Denmark, Estonia, France, Finland, Germany, Greece, Hungary, Italy, Ireland, Lithuania, Latvia, Luxembourg, Malta, Netherlands. Portugal, Poland, Romania, Slovenia, Slovakia, Spain, Sweden, United Kingdom
he effect of the GDPR is going to be worldwide. EU countries are likely to experience the most change and are actually getting ready for it. However non-EU nations will probably experience greater disruption with the implementation of the GDPR. A lot of companies not within the EU are still not wholly knowledgeable with the approaching change. Furthermore, there is a distinction in the understanding of privacy between EU and non-EU communities. The United States, for instance, has got privacy laws which safeguard “sensitive” data. The Health Insurance Portability and Accountability Act (HIPAA) controls healthcare data. The Gramm-Leach Bliley Act controls financial data. Yet with regards to “general” data, there isn’t any particular rules for it. With the GDPR, U.S. organizations might need to set up a number of procedures to deal with personal data properly depending whether it is from the EU or not.
Utilizing systems that adhere to the GDPR might be too complicated and too expensive for US based institutions and may dissuade them from offering their services to consumers in the EU. One technique that US based institutions can undertake is to protect “general” data in a similar manner as “sensitive” data. This makes it possible for the organization to utilize a similar system while complying with HIPAA and the GDPR. for instance. It isn’t clear yet if U.S. institutions will consider this approach.
The GDPR requires tight controls on transferring data to make sure that every individual in the EU get similar protection no matter if the data is stashed or processed in non-EU nations or global organizations. Data transfer is merely permitted if the EU Commission has established that the transfer location or receiving entity satisfies a reasonable level of protection. The EU Commission evaluates permissions and compliance to criteria every four years.
An institution that breaks the GDPR may get the maximum fine of €20 million, or 4% of annual turnover, whichever is greater. Additionally, non-compliance could result to sanctions and the loss of the business. Institutions must review their methods of collecting, processing and storing data making sure they are GDPR compliant by May 25, 2018.