GDPR Compliance Facts that California Businesses Must Know
The GDPR, enacted on May 25, 2018, has quickly become one of the top five records management laws every information manager must know. This powerful new law enforces that companies doing business in, or that have ties with, the European Union must manage and protect their customer’s data according to a much higher GDPR compliance standard. Fines for failing to comply can run as high as 20 million Euros, or $25 million USD.
Fundamentally, the GDPR aims to give consumers more complete control over how their personal data is collected, stored and used.
“‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
The good news is that just by being in California you already have a head start. California was the first state to enact a data breach notification law, intended to provide early warning to those at risk of identity theft, which coincides with Articles 33 and 34 of the GDPR.
California businesses likely need be in GDPR compliance.
Whether a company operating solely in the U.S. must also comply is a complicated question, but many who may not think they fall under the scope of its requirements actually do. That means, you have some homework to do to see if it applies to your business. Here are three reasons why a California business would need to comply.
- If you are a business in California which has a web presence, and markets its products overseas, you will need to be GDPR compliant.
- If you work with a company that requires that its vendors be GDPR compliant, then you are also going to have to follow GDPR regulations.
- If you want your business to be more attractive to prospects looking to do business with a vendor in GDPR compliance.
GDPR compliance also applies to paper records.
While the drafters of the GDPR intended for it to be “technologically neutral” the regulation applies to (1) where processing of personal data is conducted by “automated means,” and (2) where processing of personal data is not conducted by automated means, but the data “form[s] part of a filing system or [is] intended to for part of a filing system.
It’s the second situation that applies to “information kept on paper,” which means physical records that contain personal data also fall under the regulations.
Paper records are an often overlooked security risk. In the last 24 months, 17.7% of data breaches under investigation by the U.S. Department of Health and Human Services are related to paper and physical documentation. Other industries, such as legal and financial companies, also have unusually large amounts of physical documents, but all companies should take stock of what information they have in physical form.
The GDPR was primarily crafted as a way to regulate large firms processing big data, but the way the regulations are written makes it such that a very broad range of records must be kept, indexed, and made quickly retrievable to be compliant for nearly all businesses. Any data that is “processed” falls under its scope.
“‘Processing’ means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
The big takeaway here is that the language of the GDPR is remarkably broad. Practically speaking, this means all documents digital or paper are likely subject to the GDPR.