
Should my company worry about GDPR?
A quick FAQ for the uncertain
GDPR compliance is a big subject which I’ve been studying for a few months now. This is a simple guide to help you figure out whether or not your company will be expected to comply with this regulation.
Summary
If your company is or soon will be processing personal information of EU citizens — no matter where your company is in the world — then the short answer is YES. You will be required to comply with the General Data Protection Regulation.
What happens if we don’t?
You will potentially face big fines. [Art. 83]
How much are we talking?
Depending on the severity of the infraction, it could be either up to €10,000,000, or up to 2% of total worldwide annual turnover of preceding financial year, whichever is higher — or for more serious cases, €20,000,000 or 4% annual turnover. [Art. 83]
How long do we have?
The GDPR enters into force May 25, 2018. [Art. 99]
But we’re not even in the European Union — are we required to comply?
Yes. [Art. 3]
But we’re offering a free service — are we still obligated?
Basically there are no ‘free’ passes here. If you’re processing EU citizens’ personal data for purposes other than purely personal (or as a public authority), you’re required to comply. [Art. 3]
But we offer business-to-business service, what about that?
You’re still obligated to comply with the regulation. Depending on your business arrangement, you may be considered either a data controller [Art. 24] directly, or a data processor [Art. 28], in which case you’re processing data on behalf of a controller. Responsibility for compliance is shared between both controllers and processors.
Further, if you’re processing EU citizens’ data on behalf of a controller, you’ll need to have specific contractual terms with any controller(s) laying out their expectations with regard to GDPR.
Okay, so what’s covered under “personal information,” then?
Basically, everything you can think of. From Art. 4:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
What will be required for compliance?
Sadly, the short answer is that there is no short answer. You’ll have to comply with all relevant sections of the regulation.
Some of the jargon around the regulation can get quite complex as well, and there’s really no better source than the regulation itself and the Recitals (which are non-binding, but provide additional information regarding specific articles).
Some notable highlights:
- All processing must be fair & lawful. [Art. 6]
- Respect the rights of the data subject. [Art. 12–23]
- Keep records of processing (e.g. audit trail). [Art. 30]
- Cooperate with supervisory authority. [Art. 31]
- Process all personal data securely. [Art. 32]
- Communicate data breaches to supervisory authority [Art. 33], and to data subjects. [Art. 34]
- Perform data protection impact assessments (DPIA) where appropriate or required. [Art. 35]
- Designate a data protection officer where appropriate or required. [Art. 37]
- Follow requirements for international transfers of data. [Art. 44–50]
Again, this topic goes pretty deep. This is just to get you started if you haven’t already begun looking into this. I have some other articles on various subjects related to the GDPR and privacy/data protection also, if you’re curious.
Happy GDPR-ing!
Photo by Paul Morris on Unsplash
