In just over a year, the General Data Protection Regulation (GDPR) will come into force in Europe. This sea change in data privacy is aimed at improving protections for individuals within the European Union, providing them with more control over how their personal data is used.
It will also clarify and standardise from a legal standpoint how business are expected to operate in regards to data protection. With this in mind, smart business owners and directors are already preparing for its implementation.
There is much work to be done, however. According to a whitepaper from the DMA, a membership-based network of more than 1,000 companies, over a quarter (26 percent) of marketers feel their business is unprepared for the GDPR.
That’s a problem. But there is time for organisations to take steps now and ensure they are ready for the GDPR when it takes effect on May 25, 2018.
First, they should understand what the GDPR will require. According to “GDPR compliance: what organisations need to know” from information age, the following are requirements of the new regulation:
Extended jurisdiction. “Regulations will apply to any company collecting and/or processing EU citizen’s personal data regardless of where the company’s physical offices are located.”
Consent. Companies “will be required to obtain individual’s consent to store and use their data as well as explain how it is used.”
Mandatory breach notification. Companies “will now be required to notify the supervisory authority within 72 hours of discovering a security breach unless it is unlikely to “result in a risk to the rights and freedom of individuals.”
Right to access. “Companies must be able to provide electronic copies of private records to individuals requesting what personal data the organisation is processing, where their data is stored and for what purpose.”
Right to be forgotten. “EU citizens will be able to request the controller to not only delete their personal data but to stop sharing it with third parties – who are then also obligated to stop processing it.”
Data portability. “The new regulation gives individuals the right to transmit their data from one controller to another. As a result, upon request, organisations must be able to provide an individual’s personal data in a ‘commonly used and machine readable format.”
Privacy by design. “Security must be built into products and processes from day one.
Data protection officers (DPO). “Both data controllers and data processors are now required to appoint a DPO.”
On a disturbing note, several reports indicate that some companies in the UK have stopped preparing for GDPR due to Brexit. According to MarketingTech’s “24% of UK businesses have stopped preparations for EU Data Protection Regulations,” fully 44 percent of respondents to a survey believe – likely in error – that they will not fall under its jurisdiction. This is dangerous assumption, as the article notes:
“’Firstly, it is likely to be in place before any Brexit,’ said director of information management at Crown Records, John Culkin. ‘Secondly, although an independent Britain would no longer be a signatory it will still apply to all businesses which handle the personal information of European citizens.’
The fines associated with EU GDPR are significant. They can be as high as €20 million or 4% of global turnover.”
When looking ahead at the GDPR, it is far better to be safe than sorry. In this case, that means being prepared – or risk serious consequences.