GDPR: What you need to know about Europe’s strictest data privacy regulation
14 September 2017
By Vee Punia
The EU General Data Protection Regulation (GDPR) is possibly the most important change in data privacy regulation over the past two decades. While some companies have started working towards the GDPR compliance, Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. With close to 160 GDPR requirements around data collection, storage, and use, to mandating a 72-hour notification for a personal data breach, this legislation will greatly impact European companies.
About the GDPR
The GDPR is designed to protect individuals in the EU from privacy and data breaches in an increasingly data-driven world. In fact, its main purpose is to give individuals more control over their personal data, impose stricter rules on companies handling it and make sure companies embrace new technology to process the influx of data produced. It should be noted that the GDPR will affect any organization that stores personal information of individuals in the EU, regardless of global business presence. And while the GDPR will harmonize data protection laws across the whole of the EU, which theoretically makes it easier for non-EU organizations to comply, the new requirements will be stricter, making compliance more challenging.
Ramping up for the GDPR
With less than a year to go before the GDPR kicks in, here’s a quick rundown of what you need know:
How to comply with the GDPR: Organizations need to look at how and what data they collect and process, how they garner consent to use that data and how to update gaps in their data handling policies, including but not limited to: data protection, security, breach, and retention. In saying that, companies should review how they handle communications, monitoring, email, and website cookie notice and privacy statement for EU residents.
The GDPR also introduces a new higher standard for consent, which is one of the most widely used grounds for lawful processing of personal data. Clearer and more granular opt-in/opt-out methods mean consent must be unbundled from other terms and conditions, giving individuals clear and defined ways to withdraw consent.
TIP: Public authorities or organizations that engage in large-scale systematic monitoring or processing of personal data for EU residents should appoint a Data Protection Officer (DPO).
Risk of non-GDPR compliance: More data is produced today than ever before, which makes managing data on a large scale risky for organizations, especially for those that don’t have a strategy in place or update their systems to handle the influx. When the GDPR is implemented in May 2018, organizations that suffer a data breach, which includes anything from someone’s name or address to their IP address and everything in between can be fined up to 4 percent global turnover or €20 million depending on which one is higher. In addition, organizations will be legally obliged to report a breach within 72 hours of it being discovered.
And while a fine is a huge consequence to face, let’s not forget the impacts that are harder to quantify such as brand reputation damage, a decrease in trust, and a negative news cycle which leads to a decrease in future revenue and lost business opportunities.
GDPR compliance improves costs: While getting to full compliance can be difficult and complicated, once achieved, organizations will likely see significant benefits – especially for corporations looking to expand in Europe. Since the data protection regulation will apply uniformly throughout Europe, organizations won’t need to consult local lawyers to ensure local compliance, which results in direct savings and legal certainty.
What can you do to get ready for the GDPR?
To fully protect personal data, you need to know what data you are collecting, how you are collecting it, what you are doing with it, who is processing it, and so on. With the GDPR enforcement date just around the corner, here are a few recommendations to help you get GDPR-ready:
- Review your customer and vendor contracts and existing policies to comply with the GDPR. Develop standards and processes to define the Personal Data lifecycle and help ensure data transparency, accuracy, accessibility, completeness, security, and consistency.
- Identify what data is retained for EU individuals. Document and map what personal data is stored. Identify where it came from and the reason you store it. Create a checklist as to why you need to store it. Remove any unused data that is not required.
- Raise awareness internally with your employees, subsidiaries and board-level associates of legislation.
- Update your security policies and procedures to ensure they are easily accessible and easy to understand.
- Evaluate risks, strengths, and opportunities and establish governance for data usage and access.
- Encryption policies should include strong encryption for both data at rest and in transit.
Vee Punia is Director, IT & Infrastructure at Q4 and holds over 17 years of experience in IT Infrastructure Management, Security operations, ITIL Change Management and Service Delivery of Enterprise or SaaS platform.