Is your company ready for the GDPR regulation in May 2018? The General Data Protection Regulation is a unifying standard of protection for data within the European Union. On an individual level, it allows customers to have more control over how their personal data is used. On a larger scale, the enactment of the GDPR simplifies data protection within international business. Most companies are preparing for GDPR’s enactment. For example, in 2017, a PwC study found that 92% of those surveyed considered compliance with the GDPR to be a top priority on the privacy agenda for their companies.
GDPR was adopted April of 2016 but will not be enforced until May 25 of 2018. It requires companies to get explicit consent for how they use consumer’s data. GDPR affects all those within the EU and any organization or company using personal data from members within the EU. The EU defines this personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. Anything from a name, home address, photo, an email address, bank details, posts on social media, medical information or a computer’s IP address.”
Companies are currently spending millions of dollars to become GDPR compliant. One study shows that 68 percent of U.S. based companies are expected to spend $1 million to $10 million to meet the requirements. The basis for investing so much money into GDPR compliance is due to fines for non-compliance, which can be up to 10 million Euro, or two percent of the company’s total annual turnover.
Those with access to personal data, dubbed “data controllers” must demonstrate compliance with the data protection principles. They must enforce Protection by Design and by Default (Article 25) which requires data protection to be designed into the development of products and services. Controllers are to use data for a specific purpose and on a lawful basis. Additionally, the European Commission states:
- The information obtained must be accurate and can be updated when necessary.
- Data can only be kept as long as necessary
- Data can be removed or changed by the person it belongs to
Data must not be excessive, only relevant to the current situation
How to Prepare
Make GDPR compliance a priority to your company. Involve all stakeholders in the project and consider appointing a Data Protection Officer to take over the data. Once you have prepared your people the next step is putting a strategy into place. CSO lists several measures that can be taken.
- Conduct a risk assessment
- Always aim for lower risk
- Ask for help if needed, especially if you’re a small company!
- Create a strategy for how you will respond to breaches (GDPR requires you report a breach within 72 hours)
Being non-compliant with GDPR will not only hurt your wallet but also your reputation. To maintain a good reputation make sure you have considered how it will affect your company now and in the future. By preparing for the GDPR in your company you are setting yourself up for global success. We hope you will make it a priority!
Interested in learning more about GDPR? Contact us.