EU GDPR: Should You be Worried?
EU GDPR was adopted on 8th April 2016 and this data protection framework is expected to replace the current directive on 25th May 2018. General Data Protection Regulation was designed to replace the Data Protection Directive 95/46/EC and harmonize data protection laws all over Europe. The primary objective of the General Data Protection Regulation is to empower the EU citizens’ privacy, protect them from privacy breaches along with an intention to reshape the way organizations across the regions perceive data privacy. Companies that have not yet adopted the new system will be subjected to heavy fines. The big question is whether the GDPR is applicable to companies in the United States?
Applicability of GDPR to Companies outside of EU
Since the traditional practice is being upgraded to GDPR, changes are to be expected but to what extent actually? And how will they impact companies? Here’s a briefing of what is yet to come;
Extra Territorial Jurisdiction:
General Data Protection Regulation extends the jurisdiction, the target of this application is all the companies currently residing in the Union, despite the location of the company. Data Protection Directive was comparatively ambiguous. The application of the General Data Protection Regulation has few objectives;
- Processing personal Data via controllers
- Processing in EU
- Not taking account of whether the processing is being done EU or not
Non-EU data processing business organizations of EU citizens will be required to appoint a representative in the EU.
Companies that are violating the privacy of design’s core by lacking significant consents to processing data will be subjected to serious infringements, under the General Data Protection Regulation organizations those in breach will be fined near 4% of the annual global turnover or €20 Million. Other regulations include;
- Companies having Unorganized records will face a 2% fine (article 28)
- Having a data breach and not reporting about it to the authority shall be fined along with a report of impact assessment should be presented.
- These regulations do not discriminate between controllers or processors.
- Exemption of ‘Clouds’ will not be observed from General Data Protection Regulation enforcement.
The term “Consent” has been taken very seriously and its impact has been strengthened, companies will be from then on restricted to use their traditional practices of having illegible terms and conditions contracts. The new consent must be provided with an intelligible and highly easily accessible form that lists the purpose of requiring such sensitive data and where it shall be applied. Companies would be required by law to follow the following obligations:
- Designing consent forms that are clear to the reader and points can be understood clearly because of zero ambiguity.
- Distinguishable along with being intelligible.
- Being easily accessible.
- Having plain language.
- Designed in a manner that it is easy to withdraw consents
So, if you are a company that is either in the EU region or outside of it, you will need to think seriously about the law. Please feel free to drop in a comment or write to us if you want to know more about making your company compliant with GDPR.