Is Your Business Ready For GDPR?
The clock is ticking. The deadline is just around the corner. Do you know if your company will be required to comply with the European Union’s new General Data Protection Regulation (“GDPR”)?
- Do we offer goods and services to people in the European Union (“EU”)?
- Do we have third parties which store or send data to the EU?
- Do we collect or analyze any data of EU residents?
- Do we have any EU citizens as part of our workforce?
If you answered yes to any of these questions, congratulations! You now have one year to figure out how to comply with the new regulations and avoid significant penalties. The good news is there’s still time to develop and execute an effective strategy for compliance, but it is going to take some work and most likely outside counsel from data privacy consultants and attorneys.
The new data protection law was adopted by the EU in April of last year and is intended to bolster data protections for EU residents. The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. Companies, government agencies, and nonprofits interacting with EU residents have until May of 2018 to comply.
The GDPR defines scope as:
- Organizations who offer goods or services to individuals in the EU (even if they are based outside of the EU)
- Non-EU based organizations conducting monitoring activities in the EU which entail the processing of personal information
How does GDPR define what constitutes personal data? Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. This will pose a significant challenge to organizations to identify and control personal data.
Some of the key privacy and data protection requirements of the GDPR include:
- Requiring the consent of subjects for data processing
- Making collected data anonymous to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
Basically, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of personal data.
What is the cost of non-compliance? How about maximum fine of 4% of your total revenue or €20 million Euros (about $21.9 million dollars) whichever is higher. Companies can be fined if their outsourced data host or processor is breached, meaning your circle of control must extend outside your corporate walls.
While GDPR represents an important step forward for individual privacy rights, it will require vast changes and potentially significant investments by organizations around the world to comply. The good news is that existing privacy methodologies can be leveraged to assess potential gaps and provide guidance to the organization. The time is now to develop your plan of attack, dig deep into your data to better understand your potential exposure, and begin your journey towards compliance.
So what should you do?
- Start planning – if the process hasn’t already been started, then get moving. The significance of this regulation warrants a dedicated resource to oversee the adaptation of business processes in response to it. Your first step should be to put together a team to develop and execute the strategy
- Review data management processes – the team should give consideration to the information your company currently holds. It should review existing supplier contracts and conduct an assessment of what personal data the company currently stores, how it is being used, to whom it is being disclosed and to where it is being transferred. A full and comprehensive understanding of your current data privacy position will make life easier further down the line
- Put data breach reaction procedures in place – for a company that does not have existing procedures for notification of data breaches to the data protection authority, the creation of a protocol will be mission critical. In the event of a breach, timing, accuracy and transparency are key, and failure to respond appropriately could have significant consequences.
Gilmore Jasion Mahler has recently launched a GDPR networking series bringing together companies in our market that are working towards their compliance goals. This series is an important step in facilitating knowledge sharing and real life examples of how companies are attacking this issue. If your company is interested in participating, please contact us at (419) 794-2000.
Matt Hoverman, CISA is a Director with Gilmore Jasion Mahler, LTD and leads the Firm’s IT consulting practice. He has spent his career helping businesses assess their IT risk level and creating a plan to maximize their technology investments. Concerned about other risks your company may be facing? Learn more about Gilmore Jasion Mahler's risk advisory services.