In recent years, the European Union has introduced various measures to improve data security and protect citizens’ personal information. To this end, the EU Privacy Shield was implemented in 2016, and the EU’s General Data Protection Regulation (GDPR) is set to go into effect in May 2018.
While both security measures dictate how data from the EU must be stored and transported, there are also some noticeable differences, including the intended audience, requirements, and consequences for noncompliance. By understanding which apply to your organization, you will be able to ensure seamless compliance and develop an effective corporate presence in the EU.
What is the EU Privacy Shield and the GDPR? Who do they affect?
Since July 2016, the EU Privacy Shield has been the dominant guideline in the transfer of transatlantic data. More specifically, it allows for the safe and legal transfer of EU citizens’ personal data to and from the United States. US companies that want to work with EU companies and handle their personal data must undergo a self-certification process, which requires them to adhere to the Privacy Shield.
Similarly, the purpose of GDPR is to standardize practices related to data storage and transport, as well as to increase security and notification in the event of a data breach. However, unlike the Privacy Shield, GDPR compliance is required for any countries that wish to do business with the EU and is not limited to the US.
What are the requirements of EU Privacy Shield and GDPR?
The main requirements for the Privacy Shield and GDPR are very similar in that they both focus on the relationship between individuals, their personal data, and the organizations (business, banks, medical providers, etc.) that use this data.
The Privacy Shield requires that individuals must be notified of what data about them is being stored and transferred, must have the option to opt-out of submitting personal data, and must have access to their personal information and retain the ability to change it. In addition, data must be transferred “only for limited and specified purposes,” with the appropriate security measures taken to avoid or mitigate a data breach.
In addition to sharing the Privacy Shield’s requirements for opt-in and limiting the transfer of data to only what is necessary, GDPR has strict protocol in the event of a data breach. GDPR requires companies to report a breach to a supervisory authority within 72 hours of discovery, and the victims of the breach would also need to be notified “without undue delay.” A plan of action to mitigate any damage must also be implemented immediately.
What regulatory agencies enforce the Privacy Shield and GDPR? What are the consequences for noncompliance?
The US Department of Commerce and the Federal Trade Commission (FTC) monitor Privacy Shield compliance to ensure strong data protections. Companies must also have procedures in place for identifying and rectifying noncompliance with the above requirements, and EU citizens have the right to file a complaint with an individual company, report data misuse to a designated data protection official, or seek redress through an alternative dispute resolution organization.
GDPR will be enforced by a series of supervisory authorities, which according to Article 51 of the regulation, will be established by the EU member states for the express purpose of handling data security measures and reports of data breaches.
Organizations that do not comply with GDPR will face a significant fine of up to 20 million euros or 4% of a firm’s global gross revenue, whichever is greater.
A Solid Foundation For Data Protection
Although the legislation your organization will abide by depends on your location and whether or not you work with the EU, the requirements set forth in both the Privacy Shield and GDPR offer an excellent set of guidelines for strengthening overall data security.
The GDPR will be enforced starting on May 25, 2018. The Privacy Shield requirements are already in place.