Ready or or not, the European Union’s Global Data Privacy Regulation (GDPR) will impact businesses in the EU and beyond in only a matter of months.
The impending regulations create a tight legal framework for how companies can use individuals’ personal information and will replace a patchwork of 28 separate national privacy laws and the outdated 1995 Data Protection Directive with one set of rules for EU countries to follow. Essentially, the new regulations spell out how companies must guarantee the right to privacy, confidentiality and control of data for EU citizens.
The GDPR goes into effect May 2018 and will affect companies with operations — remotely or physically — in the EU as well as any organizations collecting data of EU citizens. This means most companies operating on a global scale need to prepare for these changes now.
A 5-Step Plan to GDPR Compliance
You likely won’t need to change your business model to avoid fines, but you will need to have appropriate compliance procedures in place. Operational and technological leaders should prioritize creating and implementing a GDPR readiness plan focused on data-privacy and security. Start with these five steps:
1. Don’t Resist
Privacy will finally have rules with teeth — so now is not the time to resist change. Since 2006, the EU courts have been battling companies in an effort to protect EU citizen's data. Frequently companies paid the fine, then continued to follow the policies and processes that violated data privacy laws. GDPR is significant and needs to be taken seriously. Previous attempts were underwhelming at best, at times even absurd, such as levying fines based on what consumers “paid” for a free service.
Resistance will carry a hefty price tag this time around. Under GDPR rules, businesses can be fined up to 4 percent of total global revenue or €20 Million (whichever is greater) for infractions pertaining to processing data, including obtaining proper consent or requirements relating to international transfers of the data. Clearly, EU regulators are sending a message to companies with deep pockets that flaunting the law comes with severe financial repercussions.
2. Appoint a Data Privacy Officer
You may need to specify one person — like a data privacy officer (DPO) — to hold responsibility for maintaining organizational compliance. GDPR is different than its preceding regulatory changes in terms of the nature, scope and type of data processing.
Section 37 of the GDPR actually requires a specified DPO to fulfill certain tasks, like regulatory compliance and training staff on data handling for businesses that monitor human resource data on a particularly large scale. An IAPP study found the new rules will require the appointment of 28,000 DPOs in the next couple of years in Europe and the U.S. alone. Computer Weekly reported that roughly 15 percent of all large enterprises had at least 5,000 employees, and would therefore require a DPO.
Even if your organization employs less than 5,000, it’s likely your current team doesn’t have experience in leading a charge of this scope and size.
3. Get Your Data Compliance Ducks in a Row
GDPR really tightens the screws for consent. You cannot claim someone consented to giving you their information based on fine print at the bottom of the website, or with a ‘pre-checked’ consent option on a form. Nor can you obtain consent to use the data for a specified purpose and opt to use it for another purpose. You must also allow people to discover what data you have that pertains to them and and where it resides.
If you move data between EU countries, GDPR wants you to ensure the other jurisdiction also has stringent rules. This is one reason GDPR will have global impact, forcing other countries to align with the regulations. If you have a highly distributed cloud data architecture, you must be transparent about how widely data is stored and secure an explicit consent from individuals clearly stating what is stored and where. However, you also need the ability to correct or delete data in all those places when asked.
4. Prepare to Delete
GDPR will allow people to withdraw their consent at any time, at which point a business is required to delete their data promptly, generally within a month. The “right to erasure” rule is not as absolute as the “right to be forgotten” ruling handed down by the EU Court of Justice in 2014, but it does obligate your business to delete an individual’s data when there’s no compelling reason to retain it. The exceptions include data that must be retained to satisfy other legal or regulatory obligations.
This new process has obvious legal implications. From an operational perspective, your team must plan the logistics now to ensure it's ready to delete data as soon as your legal team advises. Define appropriate point-people across your team, and develop an action plan for any data delete requests when consent is withdrawn.
5. Plan Your Communication Strategy
Data breaches in EU countries currently can remain under the radar since there is no all-encompassing obligation to notify the ICO, or what we know as the SEC. That will change under GDPR.
Data Privacy Officers are responsible for reporting any breach of consumer data within 72 hours at most and within 24 hours “when feasible.” Failing to adhere to this regulation can result in receiving one of the most severe penalties. This means your team must be prepared to properly communicate and notify the authorities when a breach in information occurs.
Think ahead to how you will communicate and position these new regulations and processes to your internal team. GDPR will have implications on your data processes that will likely affect even non-technical folks. Work with the leaders and managers across your team to relay information about new processes and regulations well ahead of May 2018.
Start Your GDPR Preparations Now
Don’t fall into the trap of assuming GDPR won’t impact how you do business. Start executing on your readiness plan now so you have ample time to deal with big changes and challenges that may arise. When you invest the appropriate amount of time and resources to ensure your data IT and data processing policies are compliant with the new rules, you will save yourself more than a compliance headache — you can rest assured you’re acting with the best interests of your customers in mind.