The deadline for the EU General Data Protection Regulation (GDPR) enforcement begins May 25, 2018. The GDPR is a step forward from the last directive enacted in the EU over twenty years ago. The directive left a great deal open to interpretation by each member state, and did not reach beyond the borders of the EU.
The ability to monitor and regulate the former directive across member states, which followed starkly varying laws, was determined too difficult and below the standard of data protection the EU deserves. Additionally, the EU has come to understand that safeguarding its citizens means enacting regulations that extend beyond its borders.
The GDPR deadline establishes more uniform protection of personal information across the whole of the EU. It holds each organization involved in the processing of personal data of individuals residing in the European Union up to the same standards with the same consequences – regardless whether the organization resides in a member state of the EU or not, or if the processing activity takes place in the EU.
The key repercussions: fines up to twenty million Euros or four percent of annual worldwide turnover (whichever is higher), a detrimental impact to reputation and brand, and a potential suspension of data processing in the EU.
“Much talk on GDPR centers on the fines, which are indeed substantial and affect a business’ risk profile,” says Duncan Brown, Associate Vice President at IDC and lead of the firm’s GDPR practice. “But fines are just the start: companies are also exposed to mandatory breach notification, class-action lawsuits, and potential suspension of data processing, which effectively stops a firm from trading. The increase in risk from processing personal data means that GDPR is a board-level issue.”
When preparing for the GDPR deadline, the following checklist is a helpful guide for each participant that processes personal data from the EU.
Assess whether the method for obtaining customer consent is compliant
This is especially necessary if your organization relies on consent to legitimize data processing activities. First, the consent language must be clear and plain. “Legalese” language that is only understood by attorneys who can argue many sides is no longer acceptable. Second, a person must act to give consent. Pre-ticked boxes and silence are no longer considered a valid form of consent and are outside the rules of the EU GDPR.
Check that you have mechanisms in place to honor data subject rights, including the right for data to be erased
A person can request that personal data be erased then, subject to certain exemptions, personal data relating to that individual should be deleted. This includes links to and copies of data – which means a system of notification to partner organizations and data processors is necessary.
Be ready to deliver personal data to individuals
In certain circumstances individuals can request that a complete download of their personal data be delivered in a format that is easily compiled and transferable. They also have the right to request that information be transferred to a similar company or partner company.
Examine data breach notification measures
The GDPR outlines a mandatory data breach notification regime. If a data breach puts the rights and freedoms of individuals at risk then a notification must be issued without undue delay and no later than 72 hours after an organization became aware of the breach.
Obtain parental consent for information services offered to a child
New to the EU data protection laws is the inclusion of children in the GDPR. Explicit parental consent for children under sixteen must be obtained for all information services involving children. It should be noted that some member states may adjust the age to children under thirteen, but the GDPR will require consent for all children.
Transparency is key
The aims of the GDPR are to remove any veils covering personal data, put greater power into the hands of individuals, and enforce higher consequences when personal data is put at risk. Losing customer trust and loyalty aren’t the only consequences for companies when it comes to poor data protection. Being negligent with data puts an organization at risk of heavy fines, a loss of loss of reputation and brand, and a suspension of data processing in the EU.
If you found this information useful on GDPR, you may also enjoy:
- IDC GDPR Readiness Assessment
- 90 Days to the GDPR Deadline
- General Data Protection Regulation final text.
- Countdown to GDPR
We encourage you to share your thoughts on your favorite social platform.