GDPR 101: Here’s what you need to know for May 25 2018
What is GDPR and how is it relevant to Canadian companies?
GDPR (General Data Protection Regulation) is a European regulation established to standardize the existing data protection regulations between countries and how to enforce these rules.
In the past, every European country had a different set of regulations with different levels of requirements and expectations (e.g. Germany had a very strong regulation). Many companies were not compliant regardless of the regulations in place. As security and data privacy became an important topic for everyone, GDPR introduced significant fines to entice companies to adhere to the compliance mandates. Article 83: Infringements or non-compliance shall be subject to administrative fines up to EUR $ 20 million (CAN $30 million) or up to 4% of the total revenue of the preceding financial year, whichever is higher.
GDPR is the culmination of four years of effort and was released on May 24th 2016, providing two years for all companies to be compliant by May 25th 2018. As this deadline has come and gone, many organizations are still not taking the required steps to be compliant with these regulations. What most organizations don’t realize is that they are impacted, no matter where they are located around the world.
There are two main conditions to fall into GDPR compliance regulation:
- Your company is processing data in Europe (e.g. your company has an office, a store, or a distribution point in Europe; Your cloud provider is processing data in Europe)
- Your company is processing data of an EU Data Subject (e.g. your company is providing a service or collecting personal information of a EU Data Subject)
GDPR does not clearly describe who is a data subject which can cause some confusion.
The short definition of an EU Data Subject is anyone within the borders of the EU at the time you are processing their personal data. The GDPR Data Subject is well described in an article posted on Cyber Counsel: https://cybercounsel.co.uk/data-subjects if you need more clarification.
Due to the definition of an EU Data Subject, almost every organization has to be compliant with the GDPR. Better to be safe than sorry!
Let us help you get started with the basic principles moving towards GDPR…
The first steps to become compliant are:
- Understand the GDPR and your level of compliance;
- Clearly understand the definition of personal data (direct and indirect);
- Clearly understand how you are processing personal data;
- Know where your personal data is stored (ERP, CRM, Files, E-mails, Contacts);
- Know how your personal data is protected;
- Define an improvement plan;
- Have an incident management plan;
- Have a communications plan.
The GDPR came into effect on May 25th. If you haven’t started thinking about your compliance strategy, it is never too late to start.
If you want to know more about GDPR and the different existing solutions to improve your security protections and GDPR compliance in a Microsoft environment?
Watch our webinar recording HERE or contact Avaleris for a personalized presentation