Gartner predicts that by the end of 2018, over 50% of companies affected by the GDPR will not be in full compliance with its requirements. Here we explain the impact of the GDPR regulation and how you can prepare…
What is the EU data protection regulation?
Issued by the European Parliament, the European Council and the European Commission, European Data Protection Regulation (GDPR) will replace the current Data Protection Directive 95/46/ec in spring 2018. Its main purpose is to protect the data privacy of EU citizens and harmonise the current data protection laws across EU countries.
Some of the key privacy and data protection requirements of the GDPR that will impact your business include:
Proven Consent: You need to obtain valid consent to hold and use any personal data and be able to provide a proof of this consent at any time.
Right to Erasure: You cannot change the use of the data from the purpose for which it was originally collected. This means, if someone has agreed to receive your email newsletters, you need to get fresh consent before engaging in forms of communication, such as event notifications. Individuals will have the right to request the deletion of their details when this data is no longer used for its original purpose.
Privacy Impact Assessment: Your business will be subject to privacy impact assessments that will review all areas of your business with regards to its data security, storage and management efforts. Its aim is to identify risks to consumer data and ensure those risks are addressed.
Data Protection Officers (DPO): If you’re processing data revealing someone’s genetic data, health, racial or ethnic origin and religious beliefs, your business must designate a data protection officer to oversee GDPR compliance. The EU recommends that a DPO is a lawyer, as such, you’ll have to factor this requirement into your budgets.
Breach Notifications – In the case of a data breach, you’ll need to notify the local data protection authority within 72 hours of discovering it and notify those affected should the breach place their rights and freedoms at risk.
Who will be affected?
According to Stewart Room, cyber security and data protection partner at PricewaterhouseCoopers (PwC), “GDPR will impact every entity that holds or uses European personal data both inside and outside of Europe”. This means the GDPR applies to all companies across the world if they process personal data of European Union (EU) citizens.
Companies that are already in compliance with the directive must ensure they adhere to the new requirements of the GDPR before it comes in to effect on 25th May 2018, otherwise they will be subject to penalties and fines.
According to computerweekly, “The GDPR requires that privacy is included in systems and processes by design. This means that software, systems and processes must consider compliance with the principles of data protection” As a result, you will need to:
Educate your management and employees on the GDPR regulations to ensure they’re fully aware of the new requirements.
Assess your data management processes to identify risks. Can the technologies that you have invested in 5-10 years ago protect you against the latest data threats?
Design policy and procedures to ensure your business adheres to the GDPR regulation. This should include a breach notification plan to ensure any breach can be communicated smoothly and with as little damage to the organisation as possible.
Review your GDPR processes regularly to avoid unnecessary fines.
GPDR and Brexit
According to marketingweek, a quarter of UK businesses are no longer preparing for GDPR as they believe they won’t have to comply because of Brexit. However, the GDPR will come into force despite the Brexit vote and will apply to all businesses who handle personal information of European citizens.
What if I don’t adhere to the GDPR regulation?
According to research, only 63% of companies adhere to the Data Protection Act, 27% to the EU Data Protection Directive and 22% to the EU Cyber Security Directive. More than one in ten are unaware which regulations their businesses need to adhere to. Therefore, it is essential to understand the consequences of noncompliance:
Reputational Damage: Any breach involving consumers’ financial and private data can have significant impact on your business and its reputation, which can also lead to customer pay-outs.
Hefty Fines: Noncompliance could result in fines as high as €20 million or up to 4% of global turnover.
Lost Customers: Misuse of customer data or any data breaches can damage relationships with you customers and impact revenue.
Being GDPR ready means getting your data in order. Is your business GDPR ready?
Act now – failure to do so will leave your vulnerable at a time when a mistake could cost your organisation dearly.