FROM THE BLOG

How EU’s Latest Privacy Laws Might Affect You and Your Company

By: Jason Bell

techrealestatetrends.com

GDPR article image

Data Privacy Laws have continued to emerge. The US and foreign based companies are now facing challenges with the EU’s latest data privacy law – General Data Protection Regulation (GDPR).

GDPR is the latest version of a 1995 directive by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens and residents back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It goes into effect on May 25, 2018.

What does this mean for US based and foreign companies: 

Any foreign company that collects EU data is at risk. GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. This makes it easier for non-European companies to comply with these regulations. However, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of global revenue.

What you need to do to prepare:

Of the foreign enterprises that have already prepared for this change, 70% have spent over $1 million from their IT budget for preparation initiatives of information security, privacy policies, GDPR gap assessment and data discovery to support the mandatory record keeping and data portability.

What we should expect of our data vendors:

Under the GDPR, the controller is liable for the actions of the processors they choose. It is important that US-based companies carefully choose their data processors and a relationship between a controller and a data processor should be governed by a contract. The contractual relationship should include details around the data itself, retention periods, disposal requirements and the nature and purpose of the data.

Code of Conduct and Certifications:

Due to the difficult task of ensuring that each company is compliant with the GDPR, codes of conduct and certifications have been endorsed as guidance to the requirements and as proof of compliance. US-based companies should familiarize themselves with the differences in each to ensure they choose the best one for their business model.

Enforcement and Fines:

The new enforcement procedures and fines associated with the GDPR are the source of many nerves for company executives. The hefty fines associated with the non-compliance of the GDPR can reach millions or even billions of dollars. Violators will be placed in one of two tiers, with the higher tier costing violators up to over 20 million euros or 4% of the company’s net income.

Conclusion:

It is evident that there are companies who have concerns about the risks of GDPR. Some are investing in technology and training. However, there are also companies who are not spending the same amount of money because their IT budget does not allow them to do so. For companies who do not have a million dollar IT budget and compliance support, GDPR has the potential to be a business ending issue.

Leave a comment

Your email address will not be published. Required fields are marked *

%d bloggers like this: