Through the power of information technology, any enterprise that sells products or provides services via the internet is technically a global business. Regardless of whether your organization is a one-person operation selling novelty T-shirts or a Fortune 100 company providing sophisticated cloud computing solutions, you are likely to have customers residing outside your country of origin. In general, this is considered a good thing.
However, with that global reach comes certain responsibilities, some of which are codified in laws and regulations with specific, and potentially costly, consequences. For example, the European Union (EU) is about to begin enforcing a new set of regulations designed to protect the data security and the privacy of its citizens. Enforcement of the General Data Protection Regulation (GDPR) goes into effect May 25, 2018, and will be applicable to every citizen of the EU and any business entity that transacts with them, regardless of the location of the business.
Put simply, if you have a customer from an EU country and you collect any data from that customer as a result of a business transaction, you are subject to the rules and regulations of the GDPR. There are no exceptions for enterprise size or scope, which means any business with an internet presence is potentially subject to this law.
This smart person's guide explains what the GDPR is and how its provisions impact enterprises and their IT infrastructure.
- What is the GDPR? The GDPR codifies and unifies data privacy laws across all EU member countries.
- Why does the GDPR matter? Penalties for non-compliance with the provisions of the GDPR regarding collecting and using personal data are potentially devastating.
- Who does the GDPR affect? The GDPR is applicable to any business collecting personal data from a citizen of the EU.
- When does the GDPR go into effect? Enforcement of the GDPR goes into effect May 25, 2018.
- How can I learn more about the GDPR? The provisions of the GDPR are publicly viewable from the EU.
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
What is the GDPR?
The EU GDPR replaces the Data Protection Directive 95/46/EC. The GDPR codifies and unifies the data privacy laws across all the EU member countries and is applicable to any citizen of the EU and, most importantly, for any company doing business with a citizen of the EU. Specifically, the extended jurisdiction of the GDPR states clearly that it applies to all companies processing the personal data of subjects residing in the Union, regardless of the company's location.
The provisions of the GDPR for keeping the personal data of customers secure and regarding the legal collection and use of that data by businesses is straightforward and basic common sense, but the penalties laid out for violations are significant. Enterprises found to be in violation of the provisions of the GDPR can be fined up to 4% of annual global turnover or 20 Million Euros, whichever is greater.
SEE: The Big Data Bundle (TechRepublic Academy)
- The General Data Protection Regulation (LogRhythm white paper/TechRepublic Resource Library)
- So what is GDPR? (EveryCloud white paper/TechRepublic Resource Library)
- 3 tips to reducing big data compliance risks (TechRepublic)
- Biases in algorithms: The case for and against government regulation (TechRepublic)
Why does the GDPR matter?
Any enterprise that collects data from customers is potentially subject to the provisions of the GDPR, and therefore is also subject to the penalties associated with non-compliance. The penalties for non-compliance can be steep, so every enterprise should know and incorporate strict compliance with the GDPR into their business practices and procedures before enforcement becomes active.
- Microsoft offers a free assessment of your enterprise's GDPR readiness (TechRepublic)
- Windows 10 snooping? Most users want us to record what they do on their PC says Microsoft (TechRepublic)
- Why enterprises are finally paying up for big data security (TechRepublic)
- Network security policy (TechPro Research)
Who does the GDPR affect?
Collecting and accepting personal information from any citizen of the EU will invoke the GDPR, regardless of your enterprise's country of origin. For all intents and purposes, if your enterprise has a presence on the internet in the form of a website and if your enterprise collects personal data from customers regardless of where those customers are located, it is subject to the provisions of the GDPR. As a hedge against liability, this essentially means the GDPR applies to every public-facing enterprise.
- US businesses: Start preparing for the EU's new privacy regulation (TechRepublic)
- How Europe's GDPR will affect Australian organisations (ZDNet)
- Complying with EU's General Data Protection Regulation (Skybox Security white paper/TechRepublic Resource Library)
- Big data privacy is a bigger issue than you think (TechRepublic)
- Ebook—IT leader's guide to big data security (Tech Pro Research)
When will the GDPR take effect?
Technically speaking, the GDPR has been ratified and is currently in effect; however, the EU granted a two-year grace period before beginning enforcement of the provisions in the law. Enforcement goes into effect May 25, 2018.
- As EU's General Data Protection Regulation (GDPR) looms, tech vendors ready pitches (ZDNet)
- Singapore, Japan, Korea among least prepared for new EU data laws (ZDNet)
- Trevor Hughes: How companies should prepare for GDPR (ZDNet video)
- The top 5 reasons you should care about privacy (TechRepublic)
- 4 critical points to consider when receiving cybersecurity and privacy advice (TechRepublic)
How can I learn more about the GDPR?
A complete version of the EU General Data Protection Regulation, formatted for easy reading, is available, and every enterprise that collects personal data from customers should become familiar with its provisions.
- The downside to the developer revolution: Big data (in)security (TechRepublic)
- Artificial data reduces privacy concerns and helps with big data analysis (TechRepublic)
- Artificial intelligence and privacy engineering: Why it matters NOW (ZDNet)
- Cybersecurity in 2017: A roundup of predictions (Tech Pro Research)
Mark W. Kaelin has been writing and editing stories about the IT industry, gadgets, finance, accounting, and tech-life for more than 25 years. Most recently, he has been a regular contributor to BreakingModern.com, aNewDomain.net, and TechRepublic.