Data Privacy Violations Could Incur Massive Fines

Starting on May 25, 2018, the EU’s General Data Protection Regulation (GDPR), a new data protection regulation building on the EU’s 1995 Data Protection Directive, will be implemented and enforced for any organization holding the data of European Union citizens – the scope of the new regulations affect businesses in the US and Canada just as much as the EU. Failure to comply with the new data protection regulations could mean massive financial penalties for your company. Here’s what you need to know to ensure that your organization is ready for the GDPR.

Does the GDPR apply to companies outside of the EU?

Yes. The GDPR applies to any business dealing with and holding the data of any citizen located within the European Union, even if that business is not located within the EU. If your business holds the data of citizens living in the EU, you will be held to the same data protection standards as businesses located in the EU, and jurisdictionally open to the same fines if the regulations are not properly followed. A North American company in violation of the GDPR can be fined the greater of €10 million or 2% of your company’s global annual turnover. These massive penalties are reason enough to ensure that your organization is aware of and in compliance with the new guidelines established by the GDPR.

How can I ensure that my business is protected?

With the GDPR comes a number of data subject rights that must be complied with by all companies dealing with citizens of the EU, including:

  • Consent: In order to collect data, companies must first gain the express permission of subjects, and requests for permission must be given in an intelligible and easily accessible manner
  • Breach Notification: Data controllers are now obligated to notify all affected data subjects in the event of a data breach
  • Right to Access: Data controllers must supply data subjects with a free copy of their data upon request, and inform them as to what is being collected and why
  • Right to be Forgotten: Controllers are also obligated to erase subject data upon request or withdrawal of consent, with confirmation that the data has been deleted once it has been
  • Data Protection Officers: Companies who monitor data on a day-to-day basis on a large scale will be required to appoint a data protection officer who will ensure that relevant data management policies are in place and the GDPR is followed

Luckily for most North American companies, many of the guidelines found the GDPR can be found in Canada’s already established Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the United States’ Federal Trade Commission Act and Electronic Communications Privacy Act. Canadian and American businesses who are in compliance with the regulations found in PIPEDA, the FTCA, ECPA, and other mandatory guidelines will already have some sort of data protection and privacy policy in place. Keep in mind that these regulations and the new GDPR are not identical, so your business will still have to review and revise its data protection and privacy policy structure to ensure full compliance and to ensure that any potential oversights are taken care of.

What digital privacy laws and regulations should my American business be familiar with?

American businesses don’t have one single set of clearly-defined data privacy laws and regulations, but instead must comply with a variety of laws including the Federal Trade Commission Act and the Electronic Communications Privacy Act among others (including the Financial Services Modernization Act and the Health Insurance Portability and Accountability Act). Data privacy laws also differ on a state-by-state basis, with each having its own unique set of data privacy laws that make it mandatory to report security breaches that involve personal information. Most American-based companies will already have a clearly defined set of data privacy regulations that will make the transition to full GDPR compliance easier, but these may differ depending on sector and location.

What digital privacy laws and regulations should my Canadian business be familiar with?

In addition to the GDPR and PIPEDA, your Canadian business must comply with a variety of other important privacy and data protection regulations. These include the CAN-SPAM Act, the Canadian anti-digital spam regulations covering all commercial email messages, and DMARC, the Domain-based Message Authentication, Reporting & Conformance email authentication policy. All of these privacy and data protection laws and regulations must be closely followed by your organization, otherwise, you run the risk of incurring major financial penalties and suffering a blow to your reputation and brand.

One of the most effective ways of ensuring that your organization is complying with the GDPR, PIPEDA, and any other privacy and data protection regulations is to hire the services of a digital consultancy like ion8. Our experienced team of communications, design, marketing, and software solutions experts will be able to effectively assess and manage your business and its data collection policies to ensure that your organization is complying with all relevant regulations.

Contact ion8 today for more information about how we can help you ensure that your business is GDPR-ready.