While it’s been a long time coming, the new EU General Data Protection (GDPR) is a ‘game changer’ with respect to the way EU organisations store, process and transfer personal information. It will also have significant impact on any company outside of the EU which does business with EU residents. This includes just about every larger e-commerce operation in the world!
It’s worth taking a few minutes to look at just a few reasons you should not wait until the GDPR compliance deadline of 25 May 2018.
It’s the law
GDPR is a law in every EU member country and your organisation is expected to be fully complaint before the deadline.
Fines and penalties
GDPR has a tiered fine structure – a company can be fined up to 2% of turnover for not having its records in order (Article 28), not notifying the supervising authority and data subject about a breach (Articles 31 and 32), or not conducting impact assessments (Article 33). Violation of basic principles related to data security (Article 5) and conditions for consumer consent (Article 7) can merit a 4% fine.
You can be sued
Data subjects will have the right to seek judicial remedies against controllers and processors, as well as the right to obtain compensation from controllers or processors for damages arising from breaches of the GDPR.
All organisations will have changes to make: in policy, processes and contracts, as well as in technical and organisational compliance measure. In simpler terms, you will need to change the way you deal with your customers, partners and key stakeholders.
You will need appropriate technical and organisational controls
Article 24 says that data controllers must implement “appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the Regulation.” This is fine if you already comply with ISO 27001, but if you only have the basics of information security in place, you will have much to do in a short period of time. And, of course, you will need to document every one of these processes.
Data protection impact assessments
These are now mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights and freedoms of the data subjects.
It will now be mandatory (Article 33) for an organisation to report any data breach to its supervisory authority (DPA) within 72 hours of becoming aware of it. They also need to put in place incident response and breach reporting processes, including continual testing and maintenance.
If you’re convinced that you need to get started immediately, I can recommend that you immediately book a place on our next Certified EU General Data Protection Regulation Foundation (GDPR) classroom training course. The next classes are in Dublin (4 May), Brussels (30 March) and Amsterdam (4 April).