Getting ready for the General Data Protection Regulation

GDPR has the potential to become a de facto global standard for data governance and privacy companies that operate on an international basis

Effective in May 2018, the European Commission’s General Data Protection Regulation (GDPR) represents an extraordinary shift in the way businesses around the world will be expected to operate when they gather, process, maintain, and protect customer data.

Unlike past European Union (EU) privacy mandates, GDPR applies to every organization—based anywhere in the world—that handles the personal data of an EU resident.

The GDPR requirements are as sweeping as they are demanding:

  1. Strict regulations define the consent required to collect personal data, as well as the records that organizations are required to maintain to document how, when, and where consent was acquired. 
  2. EU residents can demand to know what personal data is retained by an organization, understand how that data is being used, and require that the data be modified or erased upon their instruction.
  3. Privacy-by-design must be incorporated into all marketing, product, and service systems that retain personal data of EU residents. Data breaches generally must be reported within 72 hours of their discovery.
  4. Organizations must be prepared to proactively demonstrate total compliance with all aspects of the law. Penalties for non-compliance can be as high as €20 million or 4% of total global turnover from the prior year, whichever is higher. At these levels, penalties for noncompliance could threaten the very survival of many companies.


About the Experts

Back to top