Is your company ready for the GDPR?
If you're like most, the answer is likely “no.” Or just as likely, it will be a question: “what exactly is the GDPR?”
What Does GDPR Have to Do With Me?
The European Parliament adopted the General Data Protection Regulation on April 14, 2016 as a measure to improve the levels of protection of European Union citizens' data. The regulation is scheduled to go into effect in May 2018, with wide ranging implications for businesses doing business in the EU.
But an October 2016 survey by Dell found that 80 percent of companies surveyed knew little or nothing about the impending changes. In fact, 97 percent of companies had no plan in place to address the GDPR at all.
Even within the European Union, awareness remains worryingly low. A survey taken in early 2017 found only 68 percent of UK marketers thought their business might be ready to meet the GDPR’s May 2018 deadline.
We know what you’re thinking: If GDPR is EU law, what does it have to do with US companies? The truth is that GDPR is a global issue and ignorance of it could lead to some very serious financial repercussions.
So, if you are a US or North American company doing business with EU countries — that is, processing the data of any EU citizen — then heads up. Fines for non-compliance can be as much as $21 million, or 4 percent of your organization’s annual worldwide turnover, whichever is greater.
To give you some idea of the punitive impact this can have, in the UK in 2016, Tesco Bank experienced a data security breach that affected 9,000 of its customers. Had GDPR been in force when this breach took place, Tesco Bank would have been fined £1.9 billion ($2.3 billion).
That figure alone should be enough motivation enough to put an action plan in place.
Getting a Sense of the GDPR's Scope
The GDPR legislation is complex and far-reaching, laying out some specific mandates for businesses.
It compels businesses to securely collect and store — as well as more diligently use — the personal data of consumers in 28 EU member states. This will also include the UK, which will maintain equivalent laws post-Brexit.
The directive affects all companies that do business in the EU, with watchdogs in each country who will fine companies that misuse consumer data.
The regulation also upholds the so-called "right to be forgotten." That is, consumers can ask companies to remove personal data that's made public and companies must comply. The law also requires companies to report breaches to consumers within 72 hours.
How to Prepare for the GDPR
One of the reasons companies have put off GDPR compliance efforts is that it's expensive. PwC took out an ad in the Wall Street Journal recommending businesses put 4 percent of revenues aside for GDPR, as contingency against the aforementioned fines.
While that might be overkill, companies can start the process with a data audit. The audit should reveal how much data from EU residents the company currently holds.
Companies also need to prepare for a new climate in which consumers have rights over their data. For instance, businesses must comply with EU consumer requests for copies of their digital data. This will entail producing a record of all the personal data you hold for the citizen making the request, at no cost to them, within 31 days.
The laundry list of tasks GDPR creates is formidable and, with a little over 400 days to address them, businesses need to start including GDPR in their plans now.
Examine your current data collection and handling practices. Do you know what you store, where it comes from and why you store it?
EU citizens who issue a Data Subject Access Request will want to know the answers, and you’ll need to deliver them.
Holding on to data for longer than you are legally allowed is opening yourself up for problems. Take the opportunity to purge all the personal data you no longer need or use.
Assess your practices
GDPR makes it clear that businesses much ask explicit consent to collect, process, use and share personal data.
Silence, pre-ticked boxes or inactivity does not constitute consent. Ensure you verify how consumer consent was given to you and make clear your intentions at opt-in opportunities. It also makes sense to update your data security policies.
Appoint a Data Protection Officer
Under GDPR, multinational companies working across the EU will need a Data Protection Officer (DPO). It will be the DPO’s job to inform and advise your organization and its employees of their obligations to comply with GDPR.
Prepare for a breach
Putting aside the money to pay a fine is a shrewd, if fatalistic, idea. Equally useful will be ensuring you can respond appropriately in the event of a data breach. This means being able to identify the breach and notify all those involved within the legally required 72 hours.
Keep an eye on Privacy Shield
The replacement for the Safe Harbor agreement (to ensure the personal data from EU citizens is protected when processed by US companies) could face review once GDPR comes into force, as the new law could set the data protection bar higher for Privacy Shield to meet.