In just over a year, the General Data Protection Regulation (GDPR) will come into force in Europe. This sea change in data privacy is aimed at improving protections for individuals within the European Union, providing them with more control over how their personal data is used.
It will also clarify and standardise from a legal standpoint how business are expected to operate in regards to data protection. With this in mind, smart business owners and directors are already preparing for its implementation.
There is much work to be done, however. According to a whitepaper from the DMA, a membership-based network of more than 1,000 companies, over a quarter (26 percent) of marketers feel their business is unprepared for the GDPR.
That’s a problem. But there is time for organisations to take steps now and ensure they are ready for the GDPR when it takes effect on May 25, 2018.
First, they should understand what the GDPR will require. According to “GDPR compliance: what organisations need to know” from information age, the following are requirements of the new regulation:
Extended jurisdiction. “Regulations will apply to any company collecting and/or processing EU citizen’s personal data regardless of where the company’s physical offices are located.”
Consent. Companies “will be required to obtain individual’s consent to store and use their data as well as explain how it is used.”
Mandatory breach notification. Companies “will now be required to notify the supervisory authority within 72 hours of discovering a security breach unless it is unlikely to “result in a risk to the rights and freedom of individuals.”
Right to access. “Companies must be able to provide electronic copies of private records to individuals requesting what personal data the organisation is processing, where their data is stored and for what purpose.”
Right to be forgotten. “EU citizens will be able to request the controller to not only delete their personal data but to stop sharing it with third parties – who are then also obligated to stop processing it.”
Data portability. “The new regulation gives individuals the right to transmit their data from one controller to another. As a result, upon request, organisations must be able to provide an individual’s personal data in a ‘commonly used and machine readable format.”
Privacy by design. “Security must be built into products and processes from day one.
Data protection officers (DPO). “Both data controllers and data processors are now required to appoint a DPO.”
On a disturbing note, several reports indicate that some companies in the UK have stopped preparing for GDPR due to Brexit. According to MarketingTech’s “24% of UK businesses have stopped preparations for EU Data Protection Regulations,” fully 44 percent of respondents to a survey believe – likely in error – that they will not fall under its jurisdiction. This is dangerous assumption, as the article notes:
“’Firstly, it is likely to be in place before any Brexit,’ said director of information management at Crown Records, John Culkin. ‘Secondly, although an independent Britain would no longer be a signatory it will still apply to all businesses which handle the personal information of European citizens.’
The fines associated with EU GDPR are significant. They can be as high as €20 million or 4% of global turnover.” When looking ahead at the GDPR, it is far better to be safe than sorry. In this case, that means being prepared – or risk serious consequences.
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.