European General Data Protection Regulation (GDPR)

Background

GDPR is a comprehensive EU-wide law that gives individuals the ability to control the collection and use of their personal data. The GDPR is based on the fundamental right to data protection enshrined in the EU Treaties and in the EU Charter of Fundamental Rights. This fundamental right is akin to a constitutional right in the U.S. By empowering individuals to control how their data may be used, the GDPR presents companies doing business in Europe with significant compliance and operational challenges. With significant possible fines for noncompliance – up to the greater of €20 million or four percent of organizations' worldwide annual gross revenue – it is legislation that cannot be ignored.

GDPR’s strict requirements apply to organizations that collect or process the personal data of individuals in the EU. A company does not have to have a physical presence in the EU to be subject to GDPR; as long at the company collects data on EU EU residents, it must comply with the law’s requirements.

Additionally, the regulation requires that organizations:

• Hire a Data Protection Officer to oversee GDPR compliance;
• Report data breaches to the relevant EU regulator within 72 hours
• Enforce strict record keeping for data processing activities;
• Conduct data protection impact assessments for higher risk processing;
• Take into account data protection when designing new technologies, systems, or services; and
• Roll out new compliance policies, procedures, and governance controls requirements.

GDPR compliance is not a mere check-the-box exercise or a problem that has a one-size-fits-all, off-the-shelf solution. Compliance needs to be consistent with the risk environment, business needs, and available resources.