May 2018 will be here before you know it, and that means your business needs to be ready to comply with the General Data Protection Regulation (GDPR). This regulation was approved by the European Union (EU) Parliament in April 2016 and will begin to be enforced May 25, 2018. The regulation matters to any company anywhere in the world that stores or processes data of people who live in the EU. Companies that aren’t in compliance will face hefty fines – up to $24 million (20 million euros) or 4% of annual global turnover, whichever is higher. The intent of this legislation is to protect the data privacy for EU citizens and create consistent data privacy laws across Europe. You’re ahead of the game if you’re already complying with the Data Protection Act (DPA), the predecessor to the GDPR. Here’s what every business needs to know about the new elements of GDPR.
Review the GDPR and Assess Its Implications for Your Company
Every company should familiarize itself with the elements of the GDPR and make note of the changes that might have the biggest impact on your organization. Since the Information Commissioner’s Office (ICO) is working closely with trade associations and representatives of various industries, these entities will become an important resource for companies in each industry to help navigate the GDPR changes that are critical to them.
Highlights of Key Changes
What Should You Do to Get Ready for the GDPR?
- Assess what needs to be done in your organization: Review the requirements of GDPR to understand the implications for your organization and be sure to update decision makers about what changes need to be made. For some organizations, changes will need to be made that impact several departments, so the sooner you get everyone on board, the better.
- Conduct an information audit: Audit what personal data you collect and store, where it came from and with whom you share it. One of the requirements of the GDPR is to record your processing activities and have effective policies and procedures in place.
- Update your privacy notices: Most likely, you will need to update how you communicate to your customers how you will use any personal data you collect to be compliant with GDPR. In addition, your privacy notice needs to explain the lawful basis for processing personal data.
- Data portability: Since many of the individual rights outlined in GDPR already exist with the DPA, if you are already following those requirements, there shouldn’t be a significant amount of effort necessary to comply with the new regulations. However, this does offer a good time for you to review your current procedures to be sure that everything is covered. Also, the data portability component is new, so consider how your systems would handle an individual’s request to get his or her data in a commonly used and machine-readable form.
- Access requests: Verify that you can accommodate the new mandates about dealing with data access requests in 30 days.
- Consent: Review these detailed instructions on consent provided by the ICO. These instructions cover how you seek, record and manage consent. Consent is not assumed from silence or inactivity; it must be verifiable.
- Children’s data: The GDPR outlines special protections for children’s data, so consider if your systems are accurately verifying ages and getting parental or a guardian’s consent for children before processing data.
- Data breaches: How would you handle a data breach in your organization? Now is the time to consider your current process and compare what you do with the requirements of the GDPR.
There has been some confusion around this new regulation, and some company leaders have been overwhelmed. The sooner you get your arms around the specific details that will impact your organization, the better you will be in May.
Bernard Marr, 18th January 2018
Bernard Marr is an internationally best-selling business author, keynote speaker and strategic advisor to companies and governments.