The European Union (EU) General Data Protection Regulation (GDPR), enforced from May 2018, is one the biggest changes to data privacy regulation for European businesses since 1995. While every EU-operating business must be compliant, many still are not.
We put security, privacy and data protection at the core of our product. We are fully certified as GDPR compliant, and constantly strive to go above the minimum regulatory standards.
If you are doing business in the EU, our contracts include the Forecast Data Processing Agreement.Working with external legal counsel we regularly update this document to be in compliance with GDPR and other generally acceptable privacy laws. If you have any questions about its contents please contact us directly.
The General Data Protection Act (GDPR) will replace the 1995 Data Protection Directive.
The GDPR regulates the processing of personal data about individuals in the EU including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”). It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data. In short, here are some of the key changes that come into effect with the GDPR:
Expanded rights for individuals: The GDPR provides expanded rights for individuals in the EU by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
If you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes personal data of individuals in the EU, including tracking their online activities, regardless of whether the organization has a physical presence in the EU.