What is GDPR compliance?
The General Data Protection Regulation, or GDPR, is coming into effect on 25th May 2018, and many businesses are contemplating how it will affect them and what they need to do to comply.
And rightly so! There is a lot to do.
As a fortified replacement of the 1995 Data Protection Act (DPA) (95/46/EC), the GDPR gives individuals more control over how companies use their data and what they do with that data afterwards! This is especially important with the current ways cloud and internet technologies generate, gather and store individual’s identifiable information, classifying it by:
- Personal Data: Name, Identification Number, Location Data, Online Identifiers, Pseudonyms etc.
- Sensitive Data: Race, Ethnicity, Religion, Political Opinion, Beliefs, Genetics, Biometrics, Health, Sexual Orientation, etc.
So, what does that mean for YOUR business?
Tougher data protection laws mean harsher fines will be imposed for non-compliance or breaches, and this can be up to €20 million or 4% of your global annual turnover (whichever is greater).
Depending on a company’s size and whether it is part of a group, fines could be seen in the billions of euros, potentially suffering more than one penalty if multiple violations are discovered.
Data protection fines of this scale have been rare in the past, but they are not unheard of – €1.46 million for 35 Lidl distribution companies, for example – but the frequency is set to rise when the GDPR is enforced.
So, it’s imperative to start looking into how YOU can become compliant!
Who does the GDPR apply to?
Whether your business is inside the EU or not, if it deals with EU citizens and your Data Controller and Processor uses and stores their data, the GDPR WILL apply to you!
Article 5(2) of the GDPR states “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”
The principles being that Personal Data shall be:
- Processed lawfully with consent, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to its purpose of why it was collected
- Accurate and kept up to date where necessary
- Kept no longer than necessary
- Processed securely and protected against unlawful use, loss, destruction, damage.
“Accountability and Governance” is a major addition to the principles already found in the DPA and puts considerable legal obligations on the Processor. It makes them specifically responsible for these six principles above, especially if a breach occurs.
Now, you might be thinking:
“Hold on, my business isn’t even in the EU! How come I’m affected by this?”
Well, this is due to an additional ‘Extra-Territoriality’ clause, which extends accountability to ANY Data Controller or Processor of EU data. This is designed to include social networks, e-commerce companies, and other Internet-based organisations.
So, unfortunately, if you use or store any EU Citizen’s identifiable information, you must be compliant too!
Will there be challenges with the GDPR?
New legislature, a fast-approaching deadline, and an intimidating penalty if found non-compliant are facts that are making most businesses anxious to ready themselves for 25th May 2018.
However, a study commissioned in February/March 2017 by Veritas, an American international data management company, shows 86% of the responding businesses were worried about the GDPR implementation.
Companies, from countries across the globe but with EU dealings, were asked:
- “What concerns you the most about the potential fallout from your organisation not being in compliance with the GDPR?”
- 47% concerned their business would not meet legislation requirements; worried what effect that would have on their employees and business
- 18% concerned they might go out of business due to non-compliance
- 21% concerned they would have to let people go, believing this would counteract inevitable fines
- 31% concerned their brand image would be affected – 19% believing negative media/social coverage would mean a loss of customers, and 12% fearing that their brand would be devalued as a result
- 8% concerned about losing market share; fearing prospects would believe competitors were better at looking after their data.
- “What concerns you most about readying your business for GDPR?”
- 32% concerned they cannot manage data effectively, not having the proper technology. This would jeopardise their ability to search, discover and review data (essential for the GDPR)
- 39% concerned their organisation cannot accurately identify and locate data (again essential: the GDPR instructs that Personal Data is able to be located in a very short time frame.)
- 42% concerned they are unable to 'value' data by determining which data should be saved. (Organisations can only store personal data that’s being used for its original intent. It must be deleted thereafter. Failure = fine.)
- 39% are worried about having to delete data from their systems (dark data), which may have proven useful in the future
- 30% are worried about being unprepared to protect personal data from breach, loss or damage.
Are YOU worried about these factors when implementing the GDPR in YOUR business?
Veritas says that 65% of organisations are seeking assistance from third parties, and are not afraid to allocate a sizeable budget since the inevitable fines will far outweigh the costs involved.
The data management company said by the time 25th May 2018 rolls around, the 900 businesses they interviewed expect to have spent over €1.3 million to achieve compliance with the GDPR.
So, how do YOU start the ball rolling?