- What is GDPR?
- Does your organization process personal data?
- What risks and penalties could your organization face?
- Does your organization need GDPR compliance?
- How does my organization become GDPR-compliant?
1. What is GDPR?
The General Data Protection Regulation (GDPR) is Europe’s toughest data privacy and protection law in the world and was enforced as a regulation in 2018. It established a new global standard for organizations operating in or outside the EU to follow for data privacy and protection rights.
2. Does your organization process personal data?
If you answered yes to this question, keep reading.
According to GDPR, personal data is defined as any information relating to an identified or identifiable natural person.
This may include:
- Mailing or email addresses
- ID numbers
- Location data
- Online identifiers, such as an IP address
- Factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity
No matter which country your organization is operating in, you should consider how non-compliance with GDPR may impact your operations. There are tough and harsh fines for organizations that do not take measures to secure people’s personal data and violate GDPR. These fines can be up to €20 million or 4% of global revenue (whichever is greater).
3. What risks and penalties could your organization face?
Since GDPR enforcement began in 2018, EU’s Data Protection Authorities have issued over USD 1.6 Billion in financial penalties to organizations ranging from start-ups to large corporations.
Enforcement has not been limited to EU-based organizations:
- A small California-based tech firm was recently fined €10 million (USD 11.6 million) for allowing their app to share sensitive location data without receiving explicit consent from users.
- On May 12th, a Canadian website operator was fined €525 000 (CAD 760,000) for not appointing a local GDPR representative in the EU.
- Larger US-based tech firms such as Amazon, Facebook, and Google have also incurred substantial fines due to GDPR violations.
Regulatory fines are only the tip of the iceberg, as an alleged violation could lead to civil lawsuits or result in reputational damage.
4. Does your organization need to comply with GDPR?
If your organization fits into one of the following two categories, you likely need to comply with GDPR:
- You have a physical presence in the EU and are processing personal data belonging to EU subjects; or
- You are not physically established in the EU and are engaged in processing personal data for either of the two following reasons:
- Offering goods or services to EU data subjects; or
- Monitoring the behaviour of EU subjects.
It is important to note that GDPR compliance is not limited to commercial entities. Non-profit organizations and professional associations collecting personal data from EU citizens and residents must also be compliant.
The following business scenarios qualify for GDPR compliance:
- You operate a website that collects and processes information from EU citizens or residents, such as registration data for product demonstrations and newsletters or IP addresses via website analytics.
- You provide free or paid subscriptions to software or apps that collect and process the personal data of EU citizens or residents.
- You are collecting and processing personal information from job applicants or employees who are EU citizens or residents.
5. How does my organization become GDPR-compliant?
Let’s face it, properly addressing data protection and compliance is complex, and it’s not going to get any easier. This is particularly true for small and medium-sized (SMB) organizations, which lack the resources to hire dedicated privacy professionals.
Vayle Data Privacy Advisors can help. Schedule a no-obligation consultation with one of our advisors today.