The General Data Protection Regulation (GDPR) will come into force in Europe in just over a year. This sea change in data privacy aims to improve protections for individuals within the European Union, providing them with more control over how their personal data is used.
It will also clarify and standardise how businesses are expected to operate regarding data protection from a legal standpoint. With this in mind, smart business owners and directors are already preparing for its implementation.
There is much work to be done, however. According to a whitepaper from the DMA, a membership-based network of more than 1,000 companies, over a quarter (26 per cent) of marketers feel their business is unprepared for the GDPR.
That’s a problem. But there is time for organisations to take steps now and ensure they are ready for the GDPR when it took effect on May 25, 2018.
First, they should understand what the GDPR will require. According to “GDPR compliance: what organisations need to know” from the information age, the following are requirements of the new regulation:
- Extended jurisdiction: Regulations will apply to any company collecting and/or processing EU citizen’s personal data regardless of where the company’s physical offices are located.
- Consent: Companies will be required to obtain individual’s consent to store and use their data and explain how it is used.”
- Mandatory breach notification: Companies will now be required to notify the supervisory authority within 72 hours of discovering a security breach unless it is unlikely to “result in a risk to the rights and freedom of individuals.
- Right to access: Companies must be able to provide electronic copies of private records to individuals requesting what personal data the organisation is processing, where their data is stored and for what purpose.
- Right to be forgotten: EU citizens will be able to request the controller to delete their personal data and stop sharing it with third parties – who are then also obligated to stop processing it.
- Data portability: The new regulation gives individuals the right to transmit their data from one controller to another. As a result, upon request, organisations must be able to provide an individual’s personal data in a ‘commonly used and machine-readable format.
- Privacy by design: Security must be built into products and processes from day one.
- Data protection officers (DPO): Both data controllers and data processors are now required to appoint a DPO.
On a disturbing note, several reports indicate that some companies in the UK have stopped preparing for GDPR due to Brexit. According to MarketingTech’s “24% of UK businesses have stopped preparations for EU Data Protection Regulations,” fully 44 per cent of respondents to a survey believed – likely in error – that they will not fall under its jurisdiction. This is a dangerous assumption, as the article notes:
‘Firstly, it is likely to be in place before any Brexit,’ said director of information management at Crown Records, John Culkin. ‘Secondly, although an independent Britain would no longer be a signatory, it will still apply to all businesses that handle European citizens’ personal information. The fines associated with EU GDPR are significant. They can be as high as €20 million or 4% of global turnover.” Looking ahead at the GDPR, it is far better to be safe than sorry. In this case, that means being prepared – or risk serious consequences.
Who is CRI® Group?
Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, TPRM, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS 102000:2013, and BS 7858:2012 Certifications is an HRO certified provider and partners with Oracle.
In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body that provides education and certification services for individuals and organisations on a wide range of disciplines and ISO standards, including ISO 31000:2018 Risk Management- Guidelines; ISO 37000:2021 Governance of Organisations; ISO 37002:2021 Whistleblowing Management System; ISO 37301:2021 (formerly ISO 19600) Compliance Management system (CMS); Anti-Money Laundering (AML); and ISO 37001:2016 Anti-Bribery Management Systems ABMS. ABAC® offers a complete suite of solutions designed to help organisations mitigate the internal and external risks associated with operating in multi-jurisdiction and multi-cultural environments while assisting in developing frameworks for strategic compliance programs. Contact ABAC® for more on ISO Certification and training.