The General Data Protection Regulation (GDPR) is likely to impact smaller companies as a recent study shows that 82 percent of small and medium enterprises are unaware of the new legislation and will potentially be hit with large fines when it starts being enforced next year.
The GDPR will replace all the existing data protection laws across Europe and shape the way in which companies handle, protect and profit from data. All businesses and not-for-profit organisations that process personal data concerning employees, customers or prospects who are in the EU and/or are EU citizens fall within its scope, wherever in the world the company is based and even if the data is processed outside the EU. In other words, European data protection law will now apply worldwide, and businesses have until May 25, 2018 to prepare.
So what exactly is the GDPR?
Through the GDPR, the EU recognises:
- The right to private life as a universal human right
- The right to have one’s personal data safeguarded as a distinct, standalone universal human right
It is by attaching rights to an individual's data separately to the right attached to an individual, that the EU can demand EU-grade data protection standards on businesses in other countries. The onus is on businesses to determine if they are in scope. As you are reading AVAIL, it is a safe bet to say that your company is within its scope, but to qualify this assumption, consider three simple questions:
- Is your organisation based in the EU?
- Does your organisation handle data concerning EU-based individuals?
- Does your organisation do any kind of business with organisations to which 1 or 2 apply?
If you answered yes to any of the three questions, it is most likely that your organisation is required to comply with the GDPR. Unless you are confident your existing data handling procedures are already compliant with the regulation, this means action needs to be taken now to prepare for the May 2018 deadline.
Fears of Non-compliance Are Well Founded
There has been a lot of noise in the IT press about swingeing fines and GDPR is frequently portrayed as the new corporate bogeyman. It has to be said these fears are not without foundation: a two-tier sanctions regime will apply and breaches of the law could lead to fines of up to €20 million or 4 percent of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs.
However, scaremongering is not a constructive approach. The good news is that correct implementation of the GDPR will not only ensure compliance and mitigate the risk of fines but, more importantly, will give compliant businesses a competitive advantage. That's why Sungard AS advocates that organisations consider GDPR a central plank of business strategy that has high visibility with the Board.
A 12-Step Compliance Plan
Sungard AS resilience consultants have drawn up a 12-step plan to guide you through the GDPR process.
1 Brief senior management
Ensure the board is aware of the changes to the data protection law and how this affects the business.
2 Kick-off a GDPR program
This should be led by C-level executives (or heads of department in smaller organisations) and include the CEO, CIO, CSO and CCO or whoever is responsible for compliance. The importance of having IT and legal people speaking the same language and briefing the executives cannot be stressed enough.
3 Consider whether your organisation needs to appoint a DPO
The GDPR requires public authorities and other organisations to appoint a Data Protection Officer (DPO) to guide GDPR implementation and monitor compliance if their core activities require regular and systematic monitoring of data subjects on a large scale, or if they process a large scale of special categories of data.
The DPO should be the head of the data privacy governance structure, liaise with the supervisory authority (the Information Commissioner's Office for UK businesses) and report directly to leadership. The ideal candidate will be IT conversant, and have good business acumen, while also being proficient on all GDPR matters. Recruiting a DPO may prove time-consuming, so we advise customers to make this a priority.
4 Update data governance policies and procedures
This will help ensure they reflect GDPR requirements.
5 Analyse the GDPR and understand the legal implications for your business
Identify the risks associated with your business model and address them by means of adequate data governance. Where appropriate, streamline processes. Pay attention to processes that use personal data for profiling. Marketing, HR and Sales will probably need to adjust their ways of working to ensure compliance.
6 Review your records management strategy
Identify where personal data is being collected or acquired, the purpose for which it is being processed, and whether this data is shared with any other organisation. If this information is not currently available, a detailed investigation will be required so that all personal data, and its flow within the organisation, is accurately mapped.
7 Run an awareness campaign in your company
Unless your business is a one-man band, you need to ensure that all personnel are aware and engaged in the quest for GDPR compliance.
8 Challenge the basis under which personal data is stored, collected and processed
Review the more prescriptive GDPR definition of consent and determine if a new request for consent is necessary.
9 Implement any necessary technical adjustments to ensure GDPR data rights are fulfilled
These are the right to be informed, to rectification, to erasure, to restrict processing, to object and rights in relation to automated decision-making and profiling and the new right to data portability.
10 Review the current mechanisms for international data transfers
Be aware that the adequacy of Privacy Shield (which replaced Safe Harbour) is currently a subject of concern.
11 Examine your supply chain
Ensure your efforts to comply are not undermined by engaging in business with non-compliant providers or business partners.
12 Embed privacy into your operations
This is the only sustainable way to ensure compliance on an ongoing basis. GDPR is here and will be for the foreseeable future, even after Brexit.