General Data Protection Regulation (GDPR) is a series of EU regulations created with the intent of protecting EU citizens’ data by ensuring companies have measures in place to protect data and stop-or at least lessen-breaches and to increase accountability when such breaches occur. The GDPR applies to companies in the EU, but also to companies located elsewhere if they provide goods or services or monitor EU customer data, regardless of the company location.
Why is it important?
Penalties for breaching GDPR can include fines up to 4% of the annual global turnover or twenty million dollars, whichever is higher. These regulations will be enforced starting May 25th, before Britain exits the EU. Steep penalties will be levied on any company not adhering to the regulations. In addition to threat of fines, it is imperative for every brand to work ever-harder to be a technology leader, on the forefront of security and privacy standards in order to remain competitive in the global marketplace. Moving forward, this will need to be an ongoing effort, not merely a preparatory action or a reaction after the fact.
How should we prepare for GDPR to ensure our organization is compliant?
Begin with the basics: educate your employees. Such training shouldn’t stop at the IT level, but rather should extend to reach every area of the business. Hire an expert who specializes in data protection and possesses key knowledge around the differences in legislation for the various EU countries as it relates to data protection.
If it turns out that existing business processes will need to be modified to accommodate the new regulations, be sure to focus not just on the process, but also on the necessary technologies involved. And again, always provide adequate employee training.
Review your data:
Define what “personal data” means and understand where it resides at your organization.
Additionally, review your existing IT security policy and current data storage regulations and adjust them as needed. This should include-but is not limited to-the type of data collected and by whom.
Adjust your policies and teams:
Review your organization’s existing data privacy policies and processes to ensure they are compliant with this GDPR Compliance checklist and make tweaks as needed. Reorganize internally. You may find your organization may require the creation of new roles, such as Data Protection Officers, an individual in charge of documenting, managing how data is utilized.
Ensure your company is equipped with the right tools to detect, report and investigate a personal data breach. Modify or plan your consent policy and ensure considerations are in place for such things as age verification, either through identify management or other tools.
Preparing for the GDPR is one thing, continuing to refine your policies and processes as needed is just as critical. The State of the Art section of the GDPR (Articles 2, 5, and 32) asks that companies review their data governance policies and procedures on an ongoing basis since companies will need to document why they have or have not implemented the necessary GDPR safeguards. Remember, there is a high price to pay for procrastination. So be sure to plan and execute now and continue to review your policies and processes. Technology advancements happen much faster than policy!
Good process and procedures not only guard a company against litigation and fines, they also demonstrate the company’s commitment to taking its customers and their data seriously. It proves they are a trusted brand, a company that customers may interact and engage with globally. A company that can be trusted to be transparent and responsible in the event of a data breach.
For more information on the GDPR, including the penalties for non-compliance, please consult the GDPR FAQs here. Alternately, if you feel overwhelmed by the new regulations and the impending May deadline and would like some professional help ensuring your organization is GDPR-compliant in its handling of customer data, please reach out to us. We’d love to help you out.
Program Manager - Consumer Mobile Applications