Do you and your employees understand what the GDPR is?
Is your company ready for it?
By May 25, 2018, the General Data Protection Regulation (GDPR) is going to be in full effect.
Replacing the current Data Protection Directive of 1995, the GDPR strengthens consumers’ data protection rights, allowing them to have more control over their personal data.
This landmark legislation also focuses on enforcing stringent rules for organisations when it comes to handling and protecting personal data.
Organisations operating in the European Union(EU), regardless of their size, are mandated to comply.
A current source of confusion is whether this regulation applies to companies outside the EU. The GDPR has extraterritorial scope.This means that the regulation applies to your company, irrespective of its location, if it processes the personal information of data subjects residing in the EU.
What is stipulated in the GDPR?
Under the GDPR, consumers have the right to access Personally Identifiable Information (PII) that organisations have on them. This data may include name, photo, address, phone number, email address, bank details, medical information and even posts on social networking sites.
Consumers also have the right to ask companies to give them their data (the right to portability). Moreover, they can request this data to be rectified or erased. Consumer must also give their consent first before companies can begin profiling or tracking their online habits or activities.
Implications of the GDPR to your company
With the GDPR, data privacy should no longer be an afterthought in your business operations or procedures. It should be incorporated “by design and by default” and your processes should cover all individual privacy rights stipulated in the regulation.
Your company needs to audit its data collecting and handling process and work towards creating one that is GDPR-compliant. This includes developing a clear system when securing consent as well as establishing legal grounds to process data.
Moreover, you should have a robust security system in place to ensure the protection of this personal data and to reduce the risk of breaches. With the GDPR requiring firms to report breaches within 72 hours, it is imperative that you have the technology to immediately spot and address these break-ins.
Why should you comply?
With barely a year before its implementation, ensuring that your company is GDPR-compliant must be your priority now. Failure to comply has serious repercussions.
Non-compliance can result in hefty fines. Your company may end up paying up to €20 million or 4% of your global gross revenue, whichever is higher. Additionally, regardless of who is responsible for the breach – be it an employee or a hacker, the company pays the fines.
On top of paying big fines, failure to comply can tarnish your brand reputation. This alone can result in decline in customers and consequently, financial losses.
Moreover, under the GDPR, it’s easier for customers to sue companies for infringing their data privacy. They can demand compensation from your company even if the infringement has caused them non-material damage.
Where do you start?
Despite the huge penalties and irreparable damages non-compliance to GDPR may bring to companies, some choose to keep this matter at the bottom of their agenda.
In fact, 20% of Irish organisations claim that GDPR compliance is not their priority. Meanwhile, a survey last year showed that 63% of Chief Financial Officers(CFOs) lack awareness and thorough understanding of GDPR. This has dire consequences. You do not want your company in this position.
Establishing and implementing GDPR-compliant processes can be a complex and overwhelming endeavour, especially for small and medium enterprises. Yet, this is a task that you must start working on NOW!
Please get key people in your organisation involved in the project and ensure that they have a good grasp of what GDPR is and what it requires. Evaluate your current processes and conduct a gap analysis.
Also, do not hesitate to seek the help of experts when planning your approach to GDPR compliance.
For more information, please continue reading now or ask us a question about GDPR.