momius - stock.adobe.com
Tick tock. 25 May 2018 is almost upon us. Companies and organisations in Europe and beyond are scrambling to prepare for the implementation of the General Data Protection Regulation (GDPR). This seismic standard affects just about any organisation handling data about Europeans.
With sanctions for non-compliance potentially reaching millions – possibly even billions – of euros, nobody wants to go down in history as first to feel the wrath of the GDPR. Further, given the heightened awareness of data protection and privacy following the Facebook and Cambridge Analytica scandal, the brand damage might make the regulatory penalty look small.
Data protection agencies across Europe may be complaining they don’t have the resources to police the new regulation, but the GDPR is happening. There’s no escaping it.
Not yet GDPR ready? Don’t panic. GDPR compliance is a work in progress.
Becoming fully compliant with all the obligations that apply to virtually every organisational process across departments and geographical locations is a tall order. As long as companies can demonstrate a serious approach to GDPR implementation, regulators have said publicly they will allow some leeway to adjust to the new framework.
So, what exactly is required to be GDPR ready?
Start by knowing what data you have, where it is stored and with whom it is shared. Then devise and implement a data retention plan. Less is more. Do not collect data you don’t really need. And don’t keep data unless absolutely necessary for a legitimate business purpose.
You must set out and update data protection statements and policies. The GDPR requires a long list of information disclosures to be made to consumers and employees. Make sure those disclosures are both concise as well as comprehensive to avoid undermining the validity of consumers’ consent.
Not all of the GDPR’s obligations apply to every business or organisation, and sometimes not even in the same way. The standard recognises the difference between a data breach involving only individuals’ names and job titles and one leaking people’s banking details.
For high-risk activities, data protection impact assessments are required. This means identifying, documenting and sometimes reporting the likelihood and severity of privacy risks for individuals, as well as proposed measures of mitigation.
For many companies, the GDPR also requires the appointment of a data protection officer (DPO) and, for organisations without a physical location in the European Union (EU), a European representative.
Estimates vary, but the International Association of Privacy (IAPP) research shows at least 75,000 DPO positions will be created. This won’t be a token role. Being a DPO calls for professional training and, optimally, certification.
Finally, prepare the technologies, systems and processes for respecting people’s data protection rights. One of the biggest, and most expensive, challenges of GDPR implementation is adapting companies’ systems to comply with a multitude of existing and newly established individual rights.
In short, there’s no time to be lost.
Read more about GDPR
- One month to GDPR compliance deadline
- The GDPR audit power is being outpaced by technological advances in data analytics, says ICO.
- GDPR focus shifts from the sanctions to the benefits.
- How to be prepared for GDPR by 25 May.