GDPR Is a Year Away: Will You Be Ready?
In May 2018, the European Union’s new General Data Protection Regulation will take effect, forcing companies that do business in the EU to comply with strict new standards for data privacy and security. While it won’t have the force of law for another 14 months, the GDPR is already influencing data protection strategies around the globe.
Unlike previous EU data protection rules, the new law applies equally to any organization that operates in Europe, no matter where the organization is based. Companies that collect, process, or transmit protected information about EU citizens face multi-million-dollar fines and other sanctions if they fail to comply with the GDPR.
Given the law’s broad scope and demanding requirements, the approaching deadline poses a major challenge for corporations and regulators alike. Organizations around the world are updating their business models and security architecture to ensure that they’re in compliance by next year. In a recent PwC survey, 92% of the US employers surveyed said they consider GDPR compliance to be a top information security priority, and 77% said they expect to spend more than a million dollars preparing for the GDPR.
What's at Stake
Why are so many organizations suddenly willing to devote seven-figure budgets to data protection? The answer lies in the unprecedented fines that supervisory authorities (the government entities that will enforce the GDPR in each member state) can impose for GDPR violations. Especially notable is the provision that corporations can be fined up to 4% of their top-line revenue for violations—a number that would exceed $1 million for most global corporations and could top $1 billion for a Fortune 100 firm.
Heavy fines aren’t the only penalties that organizations can incur for non-compliance. Depending on the nature and severity of an organization’s infraction, the GDPR empowers supervisory authorities to take a wide range of corrective actions, including all of the following:
- Ordering additional audits to investigate suspected violations
- Ordering companies to notify individuals that their personal data has been compromised
- Suspending or terminating an organization’s data processing operations
- Ordering organizations to remediate or delete data
- Restricting an organization’s ability to exchange data across international borders
Organizations that violate the GDPR are also likely to experience a loss of public trust and reputation, in addition to lawsuits from individuals whose personal information has been lost, stolen, or otherwise mishandled.
The GDPR replaces Europe’s twenty-year-old Data Protection Directive and addresses a wide range of data privacy and security issues. It includes new requirements for data controllers and data processors—companies that collect, store, process, or transmit personal data—as well as new rights for individuals. Some of the law’s most notable provisions are listed below.
- Organizations are expected to incorporate data protection into their products, services, and business practices “by default” and “by design,” and must be able to demonstrate that they have taken steps to secure personal data throughout their operations.
- Individuals will have a “right to be forgotten,” meaning that they can request the deletion of their personal information from an organization’s records.
- In the event of a data breach, a business must notify authorities and affected individuals within 72 hours. This notification is not required if the stolen data was protected by strong encryption.
- Many organizations will need to appoint a Data Protection Officer to monitor data security practices and ensure compliance with the GDPR.
- Organizations will be required to meet a higher standard for obtaining consent before the collect or process someone’s personal information.
- Individuals have the right to request a copy of their personal information from a data controller in a portable format.
Guidance on complying with these and other GDPR provisions will be released by the EU’s Article 29 Working Party, a group comprised of EU Commission members and each EU member state’s data protection authority.
Steps to Take Today
It’s important to note that organizations based in the UK will not be able to use Brexit as a pretext for ignoring the new law. The UK will still be a member of the EU when the GDPR takes effect on May 25, 2018, so its provisions will be legally binding in the UK beginning on that date. British officials have also indicated that the nation’s post-Brexit data protection regulations will mirror the GDPR.
If the GDPR will apply to your organization, be sure that your preparations include the following steps:
- Initiate a data discovery process to determine how much personal information you are collecting on EU citizens, and how it is being used.
- Update your current privacy notices and other documentation to align with GDPR requirements.
- Review your procedures for obtaining consent before collecting or processing personal information, especially information on children under age 13.
- Consider adding encryption to any business process that involves sensitive personal information. The text of the GDPR specifically recommends encryption and exempts organizations from certain notification requirements when they use encryption.
- Determine whether your organization is required to appoint a Data Protection Officer, and consider who may be qualified to hold the position.
- Stay up to date as the Article 29 Working Party releases new guidance throughout 2017 and 2018.
For a more detailed look at the GDPR, read Data Protection by Design: Preparing for Europe’s New Security Regulations.