GDPR - Are you or your company Compliant?

In May of this year I wrote a post about how GDPR was being implemented and enforced. As a reminder on the 25 of May 2018 - the General Data Protection Regulation grace period has ended…

To coin a phrase the honeymoon period is over. 

Preface

Basically GDPR is an evolution in data protection representing a step change, rather than a leap into the unknown. GDPR is the world's widest reaching data privacy regulation for organisations to date. Its aim is to protect individual's private data (learn more about the GDPR here).

Here are a 3 key GDPR myths that could cost organisations millions

When it comes to GDPR, the European Union’s General Data Protection Regulation, many organisations appear to be asleep at the wheel. If you think that GDPR won’t affect your organisation, think again… Chances are, will probably be incredibly wrong, and it could cost your company significantly.

The implications of the GDPR are far reaching – within hours of being implemented almost $10 billion dollars in fines have been lodged against companies.

GDPR: The basics

First, companies must be able to show compliance with GDPR by May 25, 2018. GDPR affects not only the EU nations, but all companies that keep data on EU customers, even if the company doesn’t maintain offices or servers in the EU.

GDPR affords customers in the EU protection of the following identifying types of information: 

• Racial and ethnic information, as well as sexual orientation
• Identifying information, like names, addresses, and ID numbers
• Health, biometric, and genetic data
• IP addresses, cookie data, location, and RFID tags
• Political leanings

The top 3 GDPR myths

Myth1.

A product can make you GDPR compliant

There is no product on the market that can make your organisation GDPR compliant. The tools provided are meant to make the implementation of GDPR simpler by recording all information about customers in a single database.

GDPR laws state that consumer permissions must be validly obtained, and that data collections and storage must be transparent. Customers in the EU will be able to demand a right to be forgotten, which means that they can request organisations to erase all data that is held about them. Having this information in one location will greatly increase the assurance that your company is GDPR compliant.

Other important facets of GDPR include the fact that consumers must be notified within 72 hours of a data breach, and that safeguards need to be put in place for protection of customer data, such as data protection risk assessments (DPIA).

One of the most important and overlooked aspects about GDPR is that the best system in the world won’t work if employees are not properly trained.

All organisations will be required to appoint key positions to ensure that GDPR compliance is being met: Data controller, data processor, and data protection officer (DPO).

The DPO is responsible for driving the GDPR strategy, including security measures and overall compliance. The data controller oversees how personal data is collected and processed, as well as insures that outside contractors are complying with GDPR. Data processors can include members from your organisation as well as partners like cloud providers. GDPR maintains that processors are liable for data breaches or non-compliance.

Myth 2.

GDPR doesn’t affect me

Think of the analogy of a tree falling over in a forest: If nobody hears it, does it make a sound? This is very similar to GDPR: If the EU passes a privacy law, can anybody in the US hear it?

GDPR will be funded by a concept very familiar to most Americans – ticket book motivation. Imagine GDPR as a quaint town that derives most of its income from speed traps that are set throughout. Unsuspecting drivers pay large fines for violating traffic laws that are strictly enforced. GDPR operates much the same way – organisations will face steep penalties for not following the rules.

Any organisation that believes GDPR doesn’t affect them might have a big surprise come June of 2018. Even if your company doesn’t have servers or a business presence in the EU, you must comply with GDPR if you:

• Process personal data of EU citizens or residents
• Have more than 250 employees
• Have less than 250 employees, but regularly collect and process personal data of citizens

From purchasing a product, to newsletter subscriptions to promotional offers, each facet of customer interaction requires that GDPR compliance is met.

Myth 3.

GDPR won’t be taken seriously

If you think for a moment that GDPR won’t be strictly enforced, you are setting your organisation up for an incredible and expensive shock.

GDPR penalties for non-compliance can be steep: Up to $20 million, or 4% of global revenue, whichever is higher. All indications are that GDPR will be strictly enforced, and that companies who aren’t demonstrating compliance will serve as the first examples of the very serious nature of this law.

GDPR myths could cost your company tens or even hundreds of millions. You want to be prepared, and you want to start preparing now.

Want more information on how to be more prepare for GDPR?

Conclusions

From my perspective many customers feel they will probably have a grace period. That said most are doing something, but are still not fully compliant, which is a big concern. The majority just aren’t compliant, and are waiting to see what will happen. The GDPR was announced two years ago, but the Privacy Commission is understaffed, so there will be time before penalties are handed out - this doesn't mean it won't happen, the fines are ready to be handed out. Companies in the EU are taking it much more seriously. Outside of the EU, it truly depends on their size and the extent to which they do business in the EU, and those not yet prepared are quite nervous.

Customers need to be able to find their data subjects' data accurately in a timely manner – across all channels. They need to be able to perform deletion on demand for requirements such as the Right to be forgotten. Data duplication and multiple sources will be a significant issue in this deletion process…

Extraction is also important for requirements such as data portability – organisations need to retrieve data accurately on demand, using a flexible system.

They think this is a superficial process, but they don't really understand the challenges, and complexities of the regulation and what this involves. Data portability, for example, needs to be given in a universal format and not in the format they use; this is more intense than customers have anticipated.

However, GDPR preparedness doesn't need to be absolutely perfect - we don't yet know the ramification of the legislative process, so showing good faith efforts are probably more important. Showing that policies, protocols and systems are in place as well as an earnest attempt to comply will be a big mitigator of liability will be a significant first step in the right direction. Doing a lot of work to ramp up for the GDPR is critical, as is staying abreast of GDPR compliance, so a clear focus on how it is being implemented and interpreted and why fines are being given out.

My name is Mike Davis and I have been managing and supporting transformational change within major corporates for over 20 years. I am a keen contributor to the digital agenda and would be very interested in supporting and advising on successfully delivering business transformation change programs. Feel free to review my LinkedIn profile and should you wish to have a brief confidential discussion, a project or program review or engagement for a bid or program delivery please do not hesitate in contacting me.

Want to comment privately? Please let us know!