Digital White Papers

31 WWW.ILTANET.ORG | ILTA WHITE PAPER MARKETING AND BUSINESS DEVELOPMENT A Worldwide Law: The EU, the GDPR and You follow. That rule requires that data controllers notify the supervisory authority of a personal data breach within 72 hours of learning about the breach. This notification should describe the nature of the breach, the categories and approximate number of individuals affected, and the contact information of the organization's DPO. Included should be likely consequences of the breach and what the controller has done to address and mitigate the breach. A data processor must notify a controller of the data breach "without undue delay." When a data breach occurs, controllers must also notify individuals "when the personal data breach is likely to result in a high risk to the rights and freedoms of individuals," and they must do so "without undue delay." This notification should also include the contact information of the organization's DPO, likely outcomes of the breach and how the company plans on rectifying the situation. There is some gray area in this part of the regulation. The controller does not have to provide notice if they implemented appropriate protection measures and applied those measures to the affected data, took subsequent measures to ensure that risks to subjects' rights would be unlikely to materialize, or notification would require "disproportionate effort." While everyone might be taking steps in the right direction, some might not be doing everything they can to protect personal data. Under the GDPR, penalties will be mandatory and uniform over all EU states. Depending on the violation, companies could pay up to 20 million euros or four percent of their global turnover (whichever is greater). This would be for violations such as lacking consent to process data or violating privacy by design. Lesser violations — like records not in order or not notifying the supervisory authority or data subject about a breach — could result in a fine of two percent of global turnover. Global Impact The GDPR states that the regulation applies to the processing of personal data of subjects in the EU, even if the controller or processor is not established in the EU. Any company that markets goods or services to EU residents can be subject to the GDPR (regardless of the physical location of the business.) This provision makes the GDPR a worldwide law. The DPD was not nearly as expansive in its geographical reach. If you are in the United States (U.S.), you are probably thinking, "What does this mean for my company?" Even though your business is not in the EU, you must still comply with the regulation if you market your goods or services in any EU member states. The GDPR will require that both controllers and processors that regularly collect or process personal data from EU citizens on a large scale appoint a local representative in the EU states where they do their business. This is more likely to apply to U.S.-based soware as a service (SaaS) providers whose clients and customers include companies with large numbers of EU end users or employees. Another impact to U.S.-based companies is in data breach response plans. Under the GDPR, organizations have 72 hours to notify supervisory authorities. This time period is significantly shorter than any U.S. statute. The GDPR also has a much broader and more vague definition of a trigger for a data breach than most U.S. statutes. In the U.S., obligation to notify typically includes compromised data with the combination of first name or initial and last name, with some other unique identifier such as a Social Security number or driver's license number. The GDPR is vague, requiring that notification be given when the breach can lead to identity the, discrimination or 67 percent of Europeans expressed that they were concerned about not having control over their personal data and information they provide online.

• Cover