On May 25, 2018, the General Data Protection Regulation (GDPR), aimed at enacting strong consumer protection laws, was enforced. The GDPR affects any organization that processes or handles the information of European Union residents and is meant for organizations to implement the appropriate processes to manage consumer privacy and build consumer trust. Since GDPR was approved in 2016, organizations had two years to lay out the groundwork and enhance their privacy practices in preparation of the compliance deadline. Now that GDPR has been enforced for over a month, here are a few things that we have seen.
Organizations Still Not Compliant
A recent CIO survey showed that 38 percent of global organizations responding to the survey said they are still not compliant with the new GDPR requirements. It is important organizations realize the consequences of noncompliance which can result in any of the following:
- A warning in writing in the cases of first and non-intentional noncompliance
- EU Commission-directed data protection audits
- Restricting access to data, including definitive and permanent bans
- Loss of the organization’s ability to operate in the EEA and EU Member States
- A fine of up to €20,000,000 or up to 4% of the annual worldwide revenue of the preceding financial year in case of an enterprise, which is greater
- Damaged reputation
Tech giants Google and Facebook were fined over $9.3 billion hours after GDPR was enforced, due to privacy complaints filed by its users. Although no fines have been fully enforced to date, GDPR regulators will be viewing organizations under a microscope to ensure they are following the requirements set forth in the GDPR. An organization can be questioned and found noncompliant with GDPR if there is a suspicion that a company is not conforming to the new regulation, or if citizens who believe their data subject rights were violated go to a court or contact a national data protection authority. Organizations should review their data processing and risk management, conduct a security assessment and execute a compliance strategy to ensure compliance with GDPR requirements.
Parliament Suspends Privacy Shield
On July 5, the European Parliament voted to suspend the Privacy Shield agreement, unless the United States (U.S.) becomes fully compliant by September 1, 2018. The Privacy Shield came into force in 2016 to allow the transfer of personal data from the EU to U.S. companies that have promised to adhere to European data protection standards. It helped create the adequate data protection laws needed for U.S. companies to meet the GDPR requirement.
So, how does this affect organizations under GDPR? Many U.S. companies rely on the EU – U.S. Privacy Shield as a valid data transfer mechanism by adequacy decision under Article 45 of the GDPR. If the requirements of the European Parliament are not met by September 01, 2018, then U.S. companies will have to use an alternative data transfer mechanism to satisfy the obligations set forth in Chapter 5 of the GDPR.
Difference Between GDPR & EU ePrivacy Regulation
On the heels of the GDPR comes the EU ePrivacy Regulation. Very similarly to the GDPR, which replaced the Data Protection Directive (Directive 95/46/EC), the ePrivacy Regulation will repeal and replace the Privacy and Electronic Communications Directive of 2002 (2002/58/EC).
Understanding the differences between these two regulations is imperative, so organizations implement the appropriate processes for compliance. The ePrivacy regulation is an enhancement of the privacy and data definitions that were introduced within GDPR, but focuses on the area of electronic communications data including cookies and unsolicited marketing. According to this article, each regulation was created to reflect a different segment of EU law:
- The GDPR was created to enshrine Article 8 of the European Charter of Human Rights in terms of protecting personal data, while;
- the ePrivacy Regulation was created to enshrine Article 7 of the charter in respect to a person’s private life.
Although the two regulations complement each other, compliance with the GDPR will not mean compliance with the ePrivacy Regulation. Consult with your third-party assessor to determine how the ePrivacy Regulation will affect your organization.
Moving Towards Compliance
A-LIGN’s assessors are available to assist your organization in understanding the impact of GDPR on your organization, as well as any gaps that your organization may have that affect GDPR compliance. Our three-step process to achieve GDPR compliance can be completed through a gap assessment performed internally or through a third-party assessor, like A-LIGN.
Reach out today – contact us or call 1-888-702-5446 to talk with an assessor about your GDPR compliance initiatives.