business The General Data Protection Regulation (GDPR): What it means for your business August 29, 2017 In addition to companies needing to adhere to data privacy laws in the United States, the European Commission’s (EC) General Data Protection Regulation replaces Data Protection Directive 95/46/EC and is designed to put individuals back in charge of their data and personal information. Attention all organizations who store, process or handle personal data of EU citizens....The European Commission ratified the General Data Protection Regulation, or GDPR, which covers the capture, control and consent to use personal information. The GDPR replaces the Data Protection Directive 95/46/EC and was designed to implement a uniform data privacy system across Europe. Even if you’re based outside of the EU, the GDPR still applies to your organization if you deal with the personal data of any EU citizens. Purposes of GDPR Harmonize data privacy laws across Europe Protect all EU citizens’ data privacy Restructure the way organizations across the region tackle data privacy. GDPR broadens the scope of personal privacy laws to protect the data rights of citizens of the EU Under the GDPR..... Individuals will have greater control of who has their data, and how it will be used. Organizations must report on data breaches within 72 hours. Organizations will be bound by more stringent rules for obtaining consent from individuals on how their data can be used. How do you know if you’re subject to the GDPR? This depends on whether or not your organization is established in the EU. An organization established in the EU is subject to the GDPR, which replaces the Directive (and overrides national laws that implement the Directive). An organization based outside the EU is subject to the GDPR if it either: Offers goods or services to EU data subjects; or Monitors the behavior of EU data subjects. Any organization that is subject to the GDPR should review its obligations under the GDPR and take a risk-based approach to satisfying those obligations. Preparing for GDPR If you know you are subject to the GDPR, there are a few things you should do to prepare, this includes.... Document all personal data you hold, where it came from and who you share it with Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. Designate someone (“Data Protection Officer”) to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements. Determine your lead data protection supervisory authority if your organization operates in more than one EU member state. When does GDPR replace the Data Protection Directive? The GDPR will apply starting May 25th, 2018. The GDPR applies to all businesses in the EU; however all businesses marketing services or goods to EU citizens should be preparing to comply as well. Businesses will benefit from avoiding costly penalties while improving customer data protection and trust. Stay tuned for more information once the effective date draws closer. Contact our Information Security Services team for more guidance.