Yes, it does. It’s true the GDPR concerns the personal data of people living in the EU; however, what it actually regulates is the gathering and processing of this data, no matter where that takes place. If you decide not to comply, the fact that your business is based in Asia Pacific. will not be enough to keep you from a fine of approximately $24 million USD (€20 million), or 4% of your company’s global annual revenue.
Article 9 of the GDPR outlines several types of sensitive data that are prohibited to process. These are considered separate from the general data referred to in the rest of the text and include “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership … genetic data, biometric data … [and] data concerning a natural person’s sex life or sexual orientation.” If your organisation collects or processes any of this type of particularly sensitive information, you face additional requirements for doing so.
As long as the information collected qualifies as personal data pertaining to an EU citizen, it falls under this regulation — regardless of when it was collected. For example, let’s say a handful of French citizens signed up for your company’s email newsletter back in 2014, and those addresses are still in the company database. As of May 25, 2018, you will have to provide proof those data subjects gave their consent as outlined in Article 7 of the GDPR. Plus, those citizens will have the same right to rectification, erasure, restriction of processing and data portability as those whose data is collected post-GDPR.
The data chain starts with your business, but even if you’re using a third party to store personal data, you’ll still be held responsible for meeting GDPR requirements. In the event of a data breach, both you and your cloud service provider will need to comply with GDPR policy. Because of that, it’s imperative that you have documentation of their data protection policies and processes as they relate to this regulation.
Your organisation would be required to appoint a Data Protection Officer (DPO) in only three situations:
These are rather vague designations. For example, nothing in the regulation clearly states what constitutes large-scale data processing. But here’s something to keep in mind: If your organisation is audited for compliance and the auditor discovers you’re required to have a DPO but don’t, the fines will be stiff.
Even if your company is on the fence about needing a DPO, or it doesn’t fit any of the above categories, it’s worth appointing a protection officer. The compliance process can be long and confusing — a DPO can be instrumental in helping your company navigate it successfully.
Sure, $24 million USD in fines is enough to get most companies working toward compliance, but there’s another incentive businesses should be focusing on. The GDPR represents a clear change in public opinion regarding the privacy of personal information — consumers and employees want greater control over who has their data and what they’re doing with it.
While the GDPR and its massive fines are making the headlines, businesses would do well to remember public opinion matters just as much. Companies that enthusiastically embrace these new rules for data protection will win major points with their customers. Businesses that don’t risk alienation.
Insight disclaims this as a full review on EU data privacy nor is it intended to be legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand some important legal points. You should not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding. Insight suggests you consult an attorney if you’d like advice on your interpretation of this information or its accuracy or its applicability to your business.