Federal data protection regulation is still pending in the United States – however, the European Union (EU) is very close to passing sweeping regulation surrounding the protection of Personally identifiable information (PII). PII is any data that could potentially identify a specific individual.
The EU is planning to implement the General Data Protection Regulation (GDPR) in late 2016 or early 2017. The law will initially only apply to companies who have over 250 employees but it will likely extend to smaller businesses after roll out.
Key Points of Consideration for U.S.-based Multinational Organizations:
- The GDPR relies heavily on the seven corporate initiatives of Privacy by Design (PbD) which should be embedded into any organization’s PII data management procedures.
- It is the obligation of the holder of data to delete or erase personal data without any delay – and the right of the consumer that the holder will comply. Failure to erase PPI information in a timely manner will be viewed as negligence on the part of the holder.
- Multinational U.S. companies that may collect data from citizens of the EU but store it on U.S. servers will be required to act as if those servers are within the EU. The full scope of robust regulations regarding how personal data is processed and individual rights are guaranteed will apply. (The U.S. has hinted at implementing the same stance on their federal law).
- Fines for failure to abide are serious, up to 1M Euros or 2% of the annual revenue of the offending corporation.
- The GDPR will require that notice be given to authorities within 72 hours – and, in some serious cases, 24 hours – of a data breach. The current U.S. requirements are limited, with some states not requiring at all.
- Moving data from the EU to a country outside of the EU will require security vetting of the end user.
If your organization has multinational operations this law should be taken into consideration while evaluating your cyber program, particularly if you rely on importing your clients’ personal data from Europe.
Contact your M3 Account Executive with any questions or concerns about what your cyber protection will – or will not – cover in consideration of these new laws.