Businesses in Europe and beyond are preparing – or at least they should be preparing – for the General Data Protection Regulation (GDPR), which comes into force from 25 May 2018.
Who Does It Affect?
The GDPR applies to EU based companies and companies that collect data of EU citizens (known as Personally Identifyable Information (PII)), regardless of their physical presence inthe country. All businesses holding this data will need to ensure their procedures are fit for purpose and compliant when the new regulations and requirements for collecting, recording and storing personal data, processing activities – together with the new rules on notifications, penalties and violations take effect next year.
Businesses found non-compliant may face fines for serious infringements of up to €20 million, or 4% of annual global turnover, whichever is greater. These infringements can include violations of basic principles relating to data security, especially what is known as Privacy By Design principles such as minimising data retention and collection (Article 5) and gaining consent from consumers when processing data (Article 7).
A lesser fine of up to 2% of global revenue can be issued if company records are not in order (Article 30), or if the supervising authority and data subjects are not notified after the breach (Articles 33, 34) and not conducting impact assessments (Article 33).
What steps should you and your business take now to prepare for GDPR?
The Information Commissioner’s Office and the BCC are urging businesses to prepare for the GDPR changes. They are recommending that businesses take the following steps and review their current procedures where appropriate:
Privacy – review privacy notices and plan for further changes
Consent – review how you seek, record and manage consent and whether you need to make any changes
Holding information – know where data is stored on your system, organise the personal data your business holds, where it’s sourced from and who it is shared with
Data protection officer – designate a Data Protection Officer to take responsibility for data protection compliance.
Data breaches – “always be monitoring” possible breaches, make sure the right procedures are in place to detect and report data breaches
GDPR Readiness Assessment
In order to prepare our clients for 25 May 2018, we are offering our clients a GDPR Readiness Assessment.
This involves our team being responsible for: set up, configuration and analysis – to put you in a position to improve your GDPR compliance in advance.