GDPR regulation requires all businesses worldwide that do business with EU to protect the personal data and privacy of EU citizens for transactions that occur within the EU member states. Non-compliance could cost companies a lump sum.
Here’s what you need to know about GDPR if you are doing business in Italy or in Europe.
The GDPR takes a wide view of what personal identification information constitutes of. To comply with GDPR, you will need the same level of protection for things like an individual’s IP address or cookie data as you do for name, address and Social Security number of your clients.
What is the GDPR?
GDPR carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. This privacy legislation imposes stricter requirements than its predecessor, the Data Privacy Directive, and is not open to interpretation by national governments. The GDPR will affect Canadian organizations that offer goods or services to EU residents, even if they are based in Canada.
What types of privacy data is protected under GDPR ?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Does the GDPR affect my company?
Even if you do not have a business presence within the EU, if your company stores or processes personal information about EU citizens who live within the EU states you must comply with the GDPR.
You must comply with GDPR if :
- A presence in an EU country or no presence in the EU, but it processes personal data of European residents.
- More than 250 employees or fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data
In other words, almost all companies that do business with/in the EU are affected by GDPR regulation.
When does my company need to be in compliance?
Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25. This deadline is moved to August 21st for Italy.
- Resoconto della Commissione Speciale per gli atti urgenti del Governo della Camera, 23 maggio 2018
- Resoconto della Commissione Speciale per gli atti urgenti del Governo del Senato, 23 maggio 2018
What if I don’t follow GDPR? What are the penalties?
GDPR comes with severe penalties for violations. Breaches could result in a fine of up to 20 million Euros or four percent of your company’s worldwide revenue, whichever is higher. Frequent breaches of the regulations and failure to address the issue can even result in higher fines of up to €40 million.
How will the fines be enforced?
GDPR enforcement will be up to the national data protection authorities in each jurisdiction. Be mindful of the fact that your company can be sued privately as well, which means that non-compliance can be costly, even if your company doesn’t get fined by their Relevant Data Protection Authority.
Defining Roles in accordance to GDPR
The GDPR defines several roles that are responsible for ensuring compliance:
- Data Controller; defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
- Data Processor; may be the internal group that maintains and processes personal data records or an outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance.
- Data Protection Officer (DPO); The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance.
It’s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner.
Do I need to appoint a DPO?
Companies are required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. Some public entities such as law enforcement may be exempt from the DPO requirement.
Does the GDPR affect third-party and customer contracts?
Your company must inform customers of their rights under GDPR.
As for third parties, if a third-party processor does not comply with GDPR, you will be held liable. It has strict rules for reporting breaches that everyone in the chain must be able to comply with.
It means all existing contracts with processors (including cloud providers) and customers need to spell out responsibilities, define consistent processes for how data is managed and protected, and how breaches are reported.
You need to ensure that the whole grouping of vendors that have access to personal data of your clients are adhering to GDPR and processing the data accordingly.
Client contracts whether they are online click-throughs or formal agreements ,also need to reflect the regulatory changes on how you view, access, and process data.
If one of your vendors says, ‘You were hacked last night,’ you need to know who to call and how to respond as part of meeting the regulatory requirements with the 72-hour reporting window that the GDPR requires. You want a clearly defined path in the contract for the information to get to the person in your organization responsible for reporting the breach.