GDPR: Are You Ready?
The May 25, 2018 compliance deadline for new EU legislation which updates current regulations for consumer data protection is fast approaching, and a recent study indicates most companies are nowhere near ready. Based on a comprehensive online survey, the 2018 General Data Protection Regulation (GDPR) Compliance Report divulges that only 7% of organizations are currently in full compliance with the GDPR with an additional 33% stating they should be ready by May 25th. That leaves an overwhelming 60% of those surveyed who say they are at risk of missing the GDPR deadline.[i]
According to the study, the main non-compliance issue is not a lack of concern (80% of organizations surveyed confirm GDPR is a top priority) [ii], but a lack of knowledge. Not only are organizations in need of information security expertise, many do not fully understand the GDPR itself, nor how to align with its standards.[iii] Because the GDPR applies to not only businesses based in the EU, but all U.S. companies which process data from EU residents as well, learning the new legislation and how to move toward compliance is imperative. We’ve provided a few steps to point your organization in the right direction:
Awareness is the first step toward compliance. Leadership should know whether or not they will be required to comply and should make it a point to understand the demands of the new laws. They should also appoint a data protection officer with professional experience and a well-versed knowledge of data privacy laws. [iv] Additionally, each body with personal information must know how they obtained the data and who they obtained it from, as well as who exactly they shared it with.
Create a Budget
Companies are setting aside between 1 million and 10 million dollars to revamp their data protection procedure, hire new staff and otherwise ensure they are in full compliance. Considering GDPR violations, even those committed unwittingly, can land businesses with fees upwards of 11 million dollars[v], setting aside a GDPR-readiness budget should a top priority.
Review and communicate protection policies and procedures
Under the GDPR, individuals have more rights than ever before, such as the right to access their data, demand inaccuracies be corrected, and opt out of direct marketing. [vi] Companies must ensure procedures accommodate these rights. Likewise, privacy information and procedure must now be clearly communicated to consumers, like the lawful basis for the processing of personal data, the data retention period, etc.[vii]
Obtain consent and verify age
Consumer consent must now involve affirmative action, be obtained transparently and made separate from all other terms and conditions, and cannot be made a precondition of signing up for a service.[viii]Under the GDPR, children must be at least 16 years old to consent to data-sharing. Companies must ensure the proper systems are in place to verify ages and/or obtain consent of a parent or guardian.[ix]
Eugdpr.org calls the GDPR the “most important change in data privacy regulation in 20 years”. It is comprehensive, specific, and designed to keep up with the challenges presented by the continuously evolving world of digital dependence and information exchange.[x] While the total revamp of data handling processes and procedures required may prove to be a headache now, a company’s full compliance with the GDPR is bound to give its consumers peace of mind, thus fostering trust, providing a competitive edge and, ultimately, proving beneficial for business.