You’ve probably heard of GDPR, the EU’s General Data Protection Regulation that will take effect on May 25, 2018.
But are you ready to comply?
It’s an intricate regulation, which will require legal expertise to navigate, but compliance will essentially be about discovering, managing, protecting and reporting personal data.
GDPR applies to any organization that offers goods and services to people in the EU or that collects and analyses data tied to EU residents, whether the organization (or its corporate parent) is physically located in an EU country or not.
The cost of not complying? It’s not a slap on the wrist. It’s a spanking.
Companies that fail to comply with the new regulation can be fined up to 4 percent of annual global turnover or €20 Million (whichever is greater) for “serious” breaches, such as processing customers’ data without their consent. (The offer for consent must be presented in an “intelligible and easily accessible form,” clearly state that the consent is for data processing, and be as easily withdrawn as accepted.)
There’s a tiered schedule of fines, but even relatively minor data-control and reporting errors can result in disastrous penalties. You can be fined 2 percent of turnover (essentially, gross revenue) for failing to notify supervising authorities and the individuals affected or failing to conduct an impact assessment. You can also be fined at that level if authorities find that your records are “not in order.”
GDPR applies not just to those companies that control data; it also applies to those who process it (e.g., cloud services). Companies should ensure that the contracts they have in place, with any party, that involve “personal data” (from contracts with data processors to employee contracts) contain appropriate contractual provisions, are centralized and accessible, track compliance, and empower good data management and reporting.
There’s no hiding if you’re not protecting EU consumers’ data.
What Can You Do If You’re Not Ready?
With a short window before the enforcement of GDPR, you need a solution that can be quickly implemented, such as AnyData’s compliance software tool, which is built on a platform that enables rapid team collaboration to discover what data exits and where it resides, a GDPR audit, and integrated contract management to store and monitor your overlaying contractual positions.
A phase 1 data-discover exercise can begin in just hours, which is compelling given that there’s not enough time to wrestle with solutions that will take months to onboard, test, and execute.
You need such a solution to be in place on May 25, and ideally sooner, so that even if mistakes are made, you have a “defensible position” to present to regulators to show you haven’t been negligent in this matter and to avoid or minimize fines.
GDPR isn’t something you can ignore, but it’s also not something you need to fear, as long as you get your data and contracts in order now.