When the world opens for business on May 25, 2018, the European Union’s General Data Privacy Regulation will be in effect, permanently changing the way businesses around the world collect, process, and store data on EU prospects and customers. Early indications suggest that many organizations don’t fully grasp the magnitude of the new legislation or the extent of its requirements:
-
When Veritas conducted a survey of organizations from around the globe, 31 percent indicated that they were already GDPR compliant. However, when questions turned to specific requirements, it became clear that many of them fell short. In fact, 98 percent of the organizations that initially believed themselves to be compliant were mistaken.
-
In a study conducted by Varonis, 38 percent of respondents indicated that their organizations don’t view becoming compliant by the May 25 deadline as a priority.
-
In another survey conducted by TrustArc, 61 percent of respondents reported that they hadn’t begun implementation of their plan for compliance, and 4 percent of that group hadn’t even started the planning process.
-
Gartner predicts that, by the end of 2018, more than half of affected organizations will still be non-compliant.
What Is the GDPR?
The GDPR is the European Union’s General Data Protection Regulation. Its purpose is to “harmonize data privacy laws across Europe, to protect and empower all EU residents’ data privacy, and to reshape the way organizations across the region approach data privacy for EU residents wherever they work in the world.”
Who Is Covered by the GDPR?
The law applies to any organization conducting business in the EU as well as to organizations outside the EU that collect, process, or store information on EU citizens as well as on non-citizens while they reside in the EU.
-
Non-EU companies that employ EU citizens (regardless of location)
-
Non-EU companies that collect, process, or store data on EU citizens and/or residents (even, for example, an IP address for a single individual)
In general, it would be a mistake for organizations to simply assume that they’re not affected because they have no physical presence in the EU.