GDPR: Key Operational Impacts
The General Data Protection Regulation (GDPR) describes a set of laws put forth by the European Commission in 2012 and finally enacted in 2016. All companies that operate in the European Union—including US companies that conduct business with European clients—will need to make all changes necessary to become fully compliant with the GDPR by May of 2018.
Most companies, in our current era of emphasis on data security, have already adopted privacy rules and data safety measures that more-or-less align with the requirements of the new law. In fact, many data teams and CEOs have scrambled to change their protocols only to discover that most of the necessary boxes have already been checked. Recent high-profile breaches and the need for defense against increasingly sophisticated hacking techniques have kept some data teams unwittingly ahead of the game.
But for those who haven’t looked into the issue, we have one message: Start now. Recognize that the fines and penalties for non-compliant data managers are steep and serious. Here are a few of the finer points of the GDPR that can’t be ignored.
GDPR Operational Impacts
- Data breach notification requirements: The GDPR covers who, when, and how to contact when an unavoidable disaster takes place.
- Data Protection Officer (DPO): Companies will need to hire an employee for this role, and the sourcing, selection and onboarding process should start sooner rather than later.
- Consent: Consent rules have changed, and obtaining signatures and releases will now be a more in-depth process than before.
- Cross-border data transfers: Cross-border transfers, transfers with third countries, and transfers to international organizations will be allowed by the GDPR, as long as these transfers comply with set conditions and make provisions for onward transfer.
- Portability and other rights: The GDPR will establish new rights for those who own the data in question, including the right to portability and the right to be “forgotten.”
- Pseudonymisation: The GDPR does not apply to data subjects that cannot be identified as a “natural person”, or who have been rendered anonymous to the point that they can’t be identified at all. But pseudonyms can be applied which can separate the data from direct identifiers and hold each of these two pieces of information in distinct places. The GDPR encourages data controllers to use this process.
These are the primary impacts that the GDPR will bring to most affected companies in the US—though this list by no means covers all the required areas of compliance.