General Data Protection Regulation (GDPR) is a legal set of guidelines for the collection and processing of personal information within the European Union (EU,) and is scheduled to come into effect on May 25, 2018. GDPR rules impact companies, government agencies, non-profits, and any other organizations that offer goods and services to people in the European Union (EU), or collect and analyze personal data tied to EU residents, and failure to comply can result in financial penalties or prohibition on data collection. One way to view GDPR is like the Health Insurance Portability and Accountability Act (HIPAA) data rules for Protected Health Information (PHI), only for other organizations that collect personally identifiable information (PII.) GDPR is applicable regardless of where your company is located – including the United States.
If your organization does business with the EU and collects or uses personal data in an automated manner, here are some of the key issues/ concerns you need to be aware of. They include:
- PII must be protected prior to being processed, so that PII can’t readily be attributable to an individual
- Where PII is routinely used, such as in human resource records, it must be protected so that it cannot be identified
- Where data is aggregated for warehousing, that data must be protected from identification, which may minimize the amount of data that organizations collect to only that which is pertinent to complete a specific transaction
- Organizations must keep records of their compliance and demonstrate such compliance to regulators
- Organizations are required to notify supervising authorities about data breaches and must document the incident, its impacts, and actions taken to remediate the breach
- Depending on the type and size of the organization, a Data Protection Officer may be required
While GDPR was passed in 2016, it is still a work in progress, and regulations and processes will likely be clarified to meet the demands of the regulations. However, it does mean that your organization needs to be vigilant and ready to minimize any penalties.
Trillium has significant experience in privacy and cybersecurity, and can assist your organization in determining whether GDPR impacts your organization, and what may be required to bring you into compliance.