Confusion and indecision appear to be hampering companies' compliance to EU-wide General Data Protection Regulation (GDPR), as zero hour rapidly approaches.
On May 25, 2018, the new law will become effective, which leaves about a year to prepare. GDPR will impact every entity that holds or uses European personal data, both inside and outside of Europe. The relevance of GDPR is therefore not limited to Europe only, and the fines for non-compliance are massive.
Yet, nearly half of global firms surveyed by Experian are only in the early stages of “developing their data maturity to meet current regulations.” And, after Brexit, almost a quarter of UK companies mistakenly stopped preparations for GDPR, said a survey by Crown Records Management, which also found that 4% have not even started to prepare.
Digitalization is a double-edged sword when it comes to personal data. The convenience of online services and personalization of business communications carry with them the potential for use and abuse by organizations we don’t want to do business with — and for purposes for which we have no need or interest. It’s not just annoying to get unsolicited contact, there is a real danger that our personal identity can be stolen and used for criminal activity and more.
With GDPR, the European Parliament, the European Council and the European Commission are strengthening, simplifying and unifying data protection for individuals within the European Union (EU). Not only is the legislation more complex and far reaching, it has also raised the maximum fines threshold to €20million, or 4% of global turnover — whichever is greater. Furthermore, there is a huge risk in litigation being brought against major corporations who have exposed personal data.
In general these are the major aspects of GDPR compliance you need to pay attention to:
- You must have precise knowledge of the data you house and process; its geography, security usage and make-up—is it personal, prohibited, client-related, employee-related? Also, how is it captured—is it permitted by law or by the customer?
- You must provide information on its usage and on the subject’s rights regarding his or her data
- You must demonstrate the ability to manage personal data in a manner compliant with the regulation and be able to provide stored data at a subject’s request (including usage)
- You have to be able to erase every instance of a subject’s data in compliance with the right to be forgotten
- You must offer storage or conversion of data in a format that allows portability to other data processors
- You need to have Governance, Risk and Compliance and IT planning practices that guarantee compliance with the GDPR including sustainable (GRC) policies and processes now and in the future, internal controls and risk mitigation, and have clear instructions on how to react to a security breach of personal data.
The challenges cannot be understated (for more details, check out Gartner's white paper here) and the penalties for breaches are stinging; for major violations the fines can be up to 4% of the global revenue of the previous year. For a large corporation, this could be very painful indeed.
In our next blog we will outline what needs to be done urgently to prepare for GDPR. Take a look at our website for more information meanwhile, or download our white paper.