The European Union's (EU's) General Data Protection Regulation (GDPR) imposes strict limits on the collection, storage and use of personal data in the EU. Among other things, GDPR establishes requirements for notification and consent whenever personal information is exchanged or monitoring is taking place, enacts a "right to be forgotten" in certain instances and imposes steep fines – as much as 4 percent of worldwide revenue or 20 million euros, whichever is greater – on violators. Given the global nature of the economy, especially the online one, the GDPR's reach extends well beyond the borders of the EU, forcing many organizations outside the union to determine if and how they are affected. Non-EU security companies, in particular, by providing devices and services that rely on the collection and processing of personal information and images to manage risk, must determine their compliance requirements under the GDPR. This Security Industry Association paper provides an overview of the GDPR's impact on non-EU organizations, including when these organizations are covered and what they need to do to comply.
This content is for SIA members only.
If you are not a SIA member, click here to join the SIA.