In less than a month, companies that process personal data of customers in the European Union (EU) must meet new, stringent compliance standards outline in the General Data Protection Regulation (GDPR), replacing the Data Protection Directive 95/46/EC. Yet, there are a surprising number of companies that are not prepared and are likely to miss the deadline of May 25, 2018. In fact, according to a recent report, only 40% of organizations are well-prepared for the impending deadline. A lack of funding, resources and expertise are all contributing factors to this lack of preparedness. However, with the risk of costly penalties looming, global enterprises must act.
The GDPR essentially establishes and further protects the rights and freedoms of data protection as a fundamental right. In addition to putting personal data back in the hands of the individual consumer, it also ensures that companies maintain transparent documentation of the data they are collecting and how it is being stored and processed.
Ready or not, changes must be made to ensure compliance. Here are 5 things you should know:
- The penalties are steep.
There is a tiered approached to the fines potentially faced by companies, with the maximum being a fine of up to 4% of annual global turnover or €20 Million (whichever is greater). With that being said, it is important to note that hefty fines are often the last resort for the ICO, with recommendations and warnings often coming first. Despite this, companies should be wary, as should stricter enforcement, along with these increased fines, are to be expected.
- Located outside of the EU? GDPR can still apply to you.
Along with all companies located within the EU, the GDPR regulations are applicable to any organization that collects or accepts data about an EU resident. For example, if your business, headquartered in Dallas, Texas, has a website which collects email addresses from customers, regardless of their location, then you are subject to the GDPR regulations. Essentially, it is safe to assume that GDPR regulations apply to every public-facing enterprise.
- Understanding your data is key.
Understanding the data you currently capture and how that captured data is being used is an essential, yet oftentimes difficult, first step in any organization’s journey towards compliance. Exercises such as data mapping can help subsidize the often arduous process of identifying the PII (personally identifiable) data you have and where it is stored.
- The consumer is in control.
Not only will users have the ability to opt-out of personal data collection, detailed records of the purpose for this data collection must be kept and available to participants. On top of that, consumers have the explicit right to be forgotten, which means that their data records can be completely erased upon request. If a consumer requests, they also have the right to access their data at any time, free of charge. Organizations have 30 days to comply and disclose the requested information.
- Documentation and communication are just as important as implementation.
Organizations must be able to demonstrate their compliance efforts via internal process, policy, and training documentation. A shift towards increased transparency, both internally and externally, will play a big role in meeting compliance standards. For companies that are feeling ill-prepared for the impending deadline, documentation of the steps you have taken and plan to take as you work toward GDPR compliance will likely be considered by regulators.
The shift towards GDPR compliance will pose several challenges for both businesses and consumers, as implementation of these changes require specific resources for organizations, as well as an understanding of changes by the consumer. However, companies who invest in data regulation and transparency highlight their commitment to individual’s privacy, which can lead to deeper trust and more loyal customers.
Still feeling uncertain about what this impending deadline means for your enterprise? Drop us a line. Sagepath can help to create, assess, or implement your compliance plan before GDPR goes into effect.