The countdown has begun. With the commencement of the EU General Data Protection Regulation (GDPR) only a few months away, companies in Europe are busy trying to figure out all of its articles, recitals and fines and envision and prevent potential repercussions for non-compliance. However, European companies are not the only ones that need to be concerned. The regulation also applies to organizations located outside of the EU if they offer goods or services or monitor and process personal data of subjects currently residing in the EU/EEA. Given that the May deadline is approaching fast, you are likely to have already taken the initial steps to ensure compliance such as mapping out a compliance plan, conducting a re-assessment of current policies and educating staff on the law’s importance.

This infographic is a short summary that offers a glance at GDPR’s major objectives and key provisions, outlines the rights granted to European citizens and touches on the technological and organizational aspects of GDPR compliance.

Never heard of the GDPR?

The EU General Data Protection Regulation (GDPR) is the law that will:

– harmonize data privacy laws across Europe

– protect EU citizens’ private electronic information

– change the way organizations approach data privacy

– give more power to regulatory bodies to take action against organizations

– simplify and unify regulatory environment within the EU

10 Quick Facts

Coming into force: May 25, 2018

Where? Countries belonging to European Economic Area (EEA) which includes all EU members, post-Brexit UK, Iceland, Liechtenstein and Norway. It also applies to all organizations (public and private) located outside of the EU if they offer goods or services or monitor and process personal data of subjects residing in the EU.

The aim: To allow EU citizens more control over their personal data and simplify regulatory environment for businesses.

Non-compliance penalties: Warnings, regular audits, fines and destroyed reputation. The maximum fine is 4% of annual global turnover or €20 million, whichever is higher.

Expected savings: A unified data protection law that will replace national legislation is expected to save €2.3 billion a year.

DPOs: To ensure compliance with GDPR, 28,000 data protection officers will have to be appointed in organizations across Europe.

9 in 10 companies have already suffered data breaches.

According to a PWC Survey, 92% of US multinationals view GDPR as their top data protection priority.

However, only 6% of US businesses believe they are completely GDPR ready.

It is expected that 80% of companies will fail to comply in the first year.

What personal data does the GDPR aim to protect?

The definition of personal data is now broader and includes (but is not limited to) identifiers such as:

– name

– biometric data

– location data

– income and other financial data

– online identifiers: IP address, cookies, apps, RFID tags…

– sensitive personal data: health, genetic, socio-economic, racial and ethnic information, cultural profile, sexual orientation

What rights does it give to data subjects?

EXPLICIT CONSENT

All data that is stored must be obtained by clear, unambiguous consent. The consent can be withdrawn at any time.

TRANSPARENCY

Individuals have the right to know why, how and which of their personal data is being collected and how it is processed.

THE RIGHT TO BE FORGOTTEN

The right to withdraw consent and demand data deletion.

NOTIFICATION OF BREACH

Data controllers will need to inform their customers (data subjects) if their personal information has been hacked or compromised, and do it within 72 hours of the breach.

DATA PORTABILITY

Data subjects need to be able to transfer their personal data from one service provider to another.

An organization’s online communication is a crucial aspect of GDPR compliance. Email, social media and instant messaging exchanges are especially prone to GDPR violations since they are used for sharing personal information and remain the main targets of cyber criminals. Implementing an archiving or data governance solution combined with well-planned and executed organizational strategy will help your organization stay in compliance with this new and demanding regulation.