If you haven’t heard of GDPR yet, you soon will. The General Data Protection Regulation or GDPR is new European Union legislation that aims to enforce stricter rules on how businesses collect, process, and store the data of European citizens. It also impacts businesses and citizens of the United Kingdom. In recent years, people from many countries have felt that the sensitive data they enter over the internet is too easily compromised and utilized improperly. The GDPR will outline a new framework for how businesses must handle the personal data of all citizens of the European Union in an attempt to keep people’s data more secure.
The GDPR will go into effect May 25, 2018—and it won’t just affect businesses within the European Union. Although this legislation is being rolled out in Europe, it could affect any company that handles the personal data of EU citizens, regardless of where the company is physically located or where the EU citizen lives. Let that sink in for a moment. If you’re a U.S. company that handles people’s personal data (that applies to just about anyone) and one of those people happens to be a European citizen, you may need to be compliant with GDPR, too. And failure to comply might result in consequences, both liturgically and financially.
So what is GDPR?
Well first off, let’s talk about what it isn’t. The GDPR is not a club or organization a company needs to join; there’s no GDPR “easy button” either. Instead, it’s important to know that the GDPR is just a legal framework that outlines how companies must handle personal data and what rights the person that data is about actually has. It provides guidelines that outline key privacy principles a company must commit to, guidance on how to handle personal data, a framework to allow affected citizens to exercise their rights to correct and remove that data, and a mechanism for handling possible disputes and penalties related to the handling of personal data and the privacy principles.
What Are The Main Principles Of GDPR?
The legislation is lengthy, but you can read the full text here. In layman’s terms, GDPR outlines several principles that businesses must adhere to regarding how they handle sensitive information such as someone’s name, address, and ID number—and more extensive web data like a person’s location, IP address, cookie data, and RFID tags. Overall, the main principles of the GDPR will require your company to:
- Be more transparent about where and how people’s data is collected and used
- Take reasonable measures to keep personal data secure
- Offer people choices to “opt out” of data collection altogether and access or correct their data
- Take accountability if you use someone’s data incorrectly and take the proper action if there is a data breach. (Under the GDPR companies have a 72-hour reporting window to report a breach.)
- Notify customers of your compliance with GDPR
The rules that apply to your specific business will depends on your company’s role in the process of collecting and processing personal data. It’s important to understand whether your company qualifies as a data controller, a data processor, or both. But what do these terms means?
Data Controllers Vs. Data Processors: What’s The Difference?
As it pertains to GDPR, a data controller is a company that has a EU citizen’s data. In the recruiting industry, recruiting firms and employers would be the data controllers; they have a candidate’s resume and personal information such as their phone number, email address, etc. A data processor is someone or something the data controller uses to act on their behalf—in the case of recruiting, the data processor is the software or service provider that the recruiting firm uses to store and manage this data. This may include your Applicant Tracking System, HR systems, or marketing systems.
The GDPR outlines specific regulations for both data processors and data controllers, but unfortunately, one can’t control the other. That is why the framework requires contractual agreements between controllers and processors, so that compliant data controllers must ensure that their data processors are compliant. Essentially, a data controller can’t ensure that the data processor company they use is compliant unless the data processor company itself stays compliant.
What you can do to start becoming complaint:
- Seek legal advice.
- Start the process of reviewing your processes, systems, and vendors to understand and ensure your compliance with the regulation.
What Are The Consequences Of Failing To Comply?
The GDPR will require businesses across the globe to change their policies to ensure compliance—and if they don’t, the consequences could be devastating. If you fail to comply, your company could be fined up to $20 million Euros or 4% of its global annual turnover, whichever is greater. You may also be punished via warnings and corrective orders, which can damage your company’s reputation in the global market.
Beyond a basic understanding of the overall meaning of GDPR, your company will need to involve your lawyer or legal team if you haven’t already to ensure you are ready for compliance. Stay tuned for more articles from Crelate in the coming weeks on tips that U.S. companies canGDPR use to stay compliant with GDPR going forward.
Disclaimer: This article and the information herein is provided “as is” without any warranty expressed or implied. This article does NOT constitute legal advice. Crelate makes no claims that the information in this article is either complete or accurate. Crelate does not provide legal advice, and customers should consult with their legal professional to determine their responsibilities under the GDPR.