Subscribe to Our Newsletter

A big change is coming, and it’s a change that every multinational company that has dealings in the European Union will need to prepare for. On May 25, 2018, the General Data Protection Regulation (GDPR) comes into effect, and it will govern how multinationals manage their data processing and protection policies. Failure to comply with these regulations could result in costly penalties, not to mention damage to reputation.

But what is GDPR, how will it apply to U.S. businesses doing business in the European Union and what are the penalties for non-compliance? In this article, we will explore the elements of GDPR that every multinational company needs to know, and how to make the final preparations for the May deadline.

What Is GDPR?

Over the past couple of months, there has been a lot of talk about GDPR, which is to be rolled out across Europe and which will impact any organization that stores the personal data of EU citizens. This isn’t legislation that has simply been pulled out of a hat; it is the culmination of four years of efforts by the Council of the European Union, European Commission and European Parliament to update data protection, especially in areas where people give permission to organizations to use their personal data in exchange for “free” services.

How Will This Affect US Companies That Do Business in the European Union?

The regulation has taken years to come to pass but was approved officially by European Parliament on April 14, 2016. Any organization that stores the data of European citizens has until the May deadline to get their GDPR houses into order. After this date, penalties will be issued to any company that isn’t working in compliance with the guidelines.

Planning Your Approach

While the scope of GDPR is far-reaching, the most important considerations for organizations that process or collect personal data on EU citizens include:

• Identifying GDPR data and tracking which areas of this data you share with external organizations • Designing new GDPR-centric processes that ensure the protection of all relevant data • Notifying the relevant supervisory authority of any data breach within 72 hours • Informing stakeholder who you will treat their information and make it clear how they can request information about the data you hold on them • Be ready to disclose details of security breach incidents with customers. Depending on the severity of the breach, you may be forced to share this information.

What Are the Penalties for Non-Compliance?

GDPR is legislation that must be taken seriously, and the possible penalties illustrate just how serious non-compliance could be for any company. Organizations that fail to comply with the guidelines could face a fine up to 4 percent of global revenue or €20 million (whichever is the higher value). Companies that fail to conduct impact assessments following a security breach, or who fail to notify the relevant security authority following a breach, could face a fine of 2 percent of global revenue.

How GXA Can Help

GDPR can be complex and understanding where to start can be daunting. At GXA, we offer a comprehensive range of IT solutions that can help multinational companies to identify and manage GDPR data and protect their bottom line and reputation. From carrying out an audit of all company data to designing a cloud infrastructure that ensures secure and practical management of that data, we tailor our solutions to suit the needs and demands of each individual business today and into the future.