The General Data Protection Regulation (GDPR) takes effect May25, 2018. If you process European Union (EU) personal data, GDPR likely applies to you—even if you’re not in the EU. That’s because the regulation is truly global in scope and applies to any organization that processes EU personal data, irrespective of where the companies are based or where the data is processed.
At its heart, the GDPR legislation is about ensuring privacy is respected as a fundamental right and that personal data is kept private and secure. Elizabeth Denham, of the EU Information Commissioner Office (ICO), says “This law is not about fines. It’s about putting the consumer and citizen first” and “Issuing fines has always been and will continue to be, a last resort.”
However, it’s important to note the costs of noncompliance can be severe. These can include a fine of up to 4 percent of global turnover (revenues) or €20m, whichever is higher; a temporary or permanent suspension of the right to access or process EU data; and the less easily measured but no less harmful damage to one’s brand and reputation.
As you prepare for GDPR, let’s look at the three fundamental data protection questions you face:
• Where is the personal data I process?
• Who has access to this data and what are they doing with it?
• How do I ensure this data is protected, including after a breach?