In just a few short weeks, the internet landscape we’ve all become accustomed to will change dramatically. The European Union is implementing new regulation for online data collection. The General Data Protection Regulation, known as GDPR, will create new, far stricter rules on how organizations can handle consumer data.

​Admittedly, it doesn’t sound very earth-shattering. It’s not a revolutionary new application or a game-changing new search engine. But these rules will change the way businesses and government organizations all over the world operate. If your organization has ever received data from citizens of countries within the European Union - even if you’ve never held operations overseas - the regulation will apply to you.

Watch our recent webinars on GDPRCyber Liability Practice Webinar Series

GDPR In a Nutshell

​Essentially, GDPR considerably increases the rights of European citizens to know and understand what is being done to their data. It requires organizations to get consent before accepting consumer data. The request for consent must come in an “intelligible, easily accessible form” that explains how the data will be used. Revoking consent must be as straightforward as giving it. The consumer must be able to see, erase, and transfer their data upon request. Organizations must restrict their data collection and usage only to such data as is strictly necessary for its services. They must also alert consumers within 72 hours after a breach and incorporate data protection in any new system they develop. For organizations in which handling data is a primary function of their mission, GDPR will require hiring a Data Protection Officer.

​GDPR is a massive shift - and the consequences for failing to follow its requirements are enormous. Fines can total up to €20 million or 4 percent of the organization’s annual global turnover, depending on which is more.

Preparing for GDPR

​Preparing for this change may seem like an enormous task, and there are several things organizations should keep in mind. The first and most important is making sure your organization understands what GDPR requires and, more specifically, how it pertains to your organization and the type or types of data your organization may collect. As Robert McCullen pointed out in Forbes, “Every…piece of personal data poses a serious responsibility.” By taking a comprehensive look at what data you have and what data you need, you’ll get a better sense of how you can comply with the regulation.

​The second step is to streamline your systems and make them as straightforward as possible. PLUS, or the Professional Liability Underwriting Society, recommends that organizations develop cybersecurity checklists and procedures in such a way that, should a breach occur, you will be able to explain precisely what happened to authorities and consumers - in less than 3 days. PLUS also recommends that organizations and their employees “be knowledgeable” and equipped to answer any questions consumers might have. The key to doing this is, of course, to have “clear and sound policies” across the board, from breach notification procedures to privacy rules.

​GDPR represents a major shift towards global accountability and transparency. But with the right preparation, organizations can face the challenges of this regulation head-on, providing vital products, services and information to consumers all around the world.