What is the GDPR?
The EU GDPR is a law designed to enhance data protection for EU residents and provide a consolidated framework to guide business usage of personal data across the EU. And how does it affect the rest of the world? Even if you are an U.S.-based company, if you have offices in the European Union, or are a company that has users/customers in the EU, you may have to comply with GDPR.
If your company offers goods or services to Individuals, monitors the behavior of Individuals and or has employees in the EU, the GDPR may apply to your company.
Under the GDPR, organizations will be obligated to:
- Obtain unambiguous consent when collecting personal information from EU citizens.
- Appoint a Data Protection Officer (DPO) if your organization currently monitors individuals through targeted online advertisements or company loyalty programs.
- Provide breach notice to privacy regulators within 72 hours upon discovery, as well as notify data subjects.
- Allocate individuals the right to delete information as seen fit, or request a copy of all automated data that a company possesses.
The GDPR comes with significant penalties for non-compliance – fines up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year (whichever is higher).
These penalties do not include any loss of business, loss of brand trust, loss of goodwill that may come along with non-compliance violations, or internal / external legal fees associated with responding to an inquiry.
Non-compliance could also lead to significant loss of business to competitors who are able to demonstrate their GDPR compliance
The GDPR Scope
The GDPR can be broken into 8 main dimensions:
- Collection and Purpose Limitation – does your company have the right to collect the information it collects, and does it use the information only for those limited purposes?
- Consent – does your company obtain the right consent for its data processing activities?
- Data Breach Readiness and Response – is your company ready to handle data breaches according to the GDPR’s requirements?
- Data Quality – what measures does your company take to help ensure the relevance, timeliness, accuracy, and completeness of the personal information it holds?
- Individual Rights & Remedies – a key change under the GDPR is the expansion of individual rights to include, for example, the Right to Information, Right to Access, Right to Rectification, Right to Restrict Processing, Right to Object, Right to Erasure and Right to Data Portability. Because of this expansion, companies’ existing policies, processes, and procedures must be reviewed. In some cases technological changes will need to be made.
- Privacy Program Management – how does your company build, oversee, and demonstrate sound privacy practices?
- Security in the Context of Privacy – what technical and procedural measures are in place and designed to protect your company’s personal data?
- Transparency – how does your company disclose its data handling practices to data subjects?
Steps to guarantee the success of your GDPR Implementation
Identifying the right people, aligning everyone on a common set of goals, and providing them with the right tools and resources to accomplish those goals are the first critical steps in developing your GDPR compliance program. This includes a GDPR readiness assessment, detailed implementation plan, and communications program to build internal awareness and help secure resources and funding
You will have to conduct a comprehensive inventory of your data, classification by risk and type, and data flows, a detailed review of privacy risks across your organization and a findings report summarizing gaps and remediation recommendations.
The next step is the development of privacy policies and procedures that address GDPR requirements as well as policies, procedures, and processes necessary to execute your GDPR roadmap. This should also include employee training to address a wide variety of subjects.
Don’t forget to address cross border data transfers between the EU and non-EU countries that must be in alignment with Privacy Shield requirements.
It is also mandatory to manage third party vendor risk by creating policies and procedures along with training, technology implementation and ongoing management.
Maintain and enhance controls, by conducting a Data Privacy Impact Assessment (DPIA) for any data processing that may result in “high risk”.
As you work through the DPIAs and identify compliance gaps and the measures needed to remediate, the next step is to remediate. It’s important to document remediation activities and track gap closure in one central place so you’ll have accountability-on-demand in the event of an inquiry.
Maintain assurance that data are not changed without authorization; and take measures to help ensure that data are accurate, relevant, timely and complete.
Set up methods to regularly review your compliance activities, and keep records that can be used for both internal and external reporting. As you build out your privacy program, identify the way or ways you can prove to internal stakeholders and external regulators your company’s compliance with each GDPR requirement. Remember that documentation of privacy notices and records of privacy-related escalation handling activities form an important part of this “demonstrable compliance.”
By taking the time to diligently step through all of the activities in the plan, you will have successfully secured GDPR compliance and protected the company’s hard-earned brand reputation, goodwill, and business valuation.
The GDPR is a complex regulatory regime. Some companies may feel comfortable with their current resources available in-house, whereas others may want to consult an expert or work with a team of professionals to help with certain pieces of the assessment, implementation, and maintenance. Law firms and consulting firms can be hired to provide recommendations.
How We Can Help?
Stark HR has the staff needed to provide recommendations and the technology needed to leave your company with the tools to manage ongoing compliance, offering a comprehensive set of privacy management solutions to help you manage all phases of GDPR compliance.