Along with losing weight and exercising more, your 2018 New Year’s resolutions should include this: Get your company compliant with the General Data Protection Regulation by May 25.
Or else?
Or else your company could face €10 million to €20 million in fines – not to mention risk a public relations nightmare.
BACKGROUND
The European Union Parliament adopted the GDPR in April, 2016 to protect personal data of EU citizens and regulate how such data may be used. This regulation not only applies to organizations — data controllers and data processors — located within the EU. It also applies to those outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. (This means you!) The exception is organizations in the United Kingdom, which is expected to have its own, similar regulation post-Brexit.
Parliament said in a news announcement at the time that the GDPR aims “to give citizens back control of their personal data and create a high, uniform level of data protection across the EU fit for the digital era.”
Provisions include things like a user’s “clear and affirmative consent” to the processing of private data, a user’s right to transfer data to another service provider, and to know when their data has been hacked, access to privacy policies that are explained in clear and understandable language, and stronger enforcement and high fines as a deterrent to breaking the rules.
RELEVANT DEFINITIONS
Personal data is any information related to a natural person or data subject that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
A data controller is the entity that determines the purposes, conditions, and means of the processing of personal data. A data processor is an entity which processes personal data on behalf of the controller.
WHAT YOU SHOULD DO
Experts agree GDPR awareness is crucial from top to bottom of an affected organization. You need to educate personnel and establish protocols. Do you have an emergency handbook for coping with data breaches? This is the time to consider one. In some circumstances, you may need to appoint a Chief Data Protection Officer.
Other recommended steps are review and documentation of your data security procedures. Have you done a security audit or penetration test lately?
Note, too, the GDPR requires servers which hold or process any personal data are within compliant facilities.
If all this seems overwhelming, don’t worry. Consultants are available to help. Some experts even point out any expense you may incur adding help for GDPR compliance will likely be far below what you’d pay in penalties for non-compliance.
ABOUT THOSE FINES
Fines are case specific, and reportedly will be given mostly when violations result in any real damage. Violators should be ready to shell out up to €10 million to €20 million, based on different sections of the regulation, like having the correct consent registered of the user, correct authoritative certifications to process sensitive data (like correct PCI-DSS level to process credit card information), and so on; or violating rights and freedoms of data — things like cross-border data transfers, handling and securing personal data, transparency on why/how you handle data.
For more information about this topic or ways to more effectively leverage your data, contact your InfoTrust Consultant today.
