While it’s been a long time coming, the deadline for compliance with the EU General Data Protection Regulation (GDPR) will be a game-changer for the way organizations store, process, and transfer personal information.
Many companies across the US need to be taking note of the GDPR, as its influence is not limited to the EU. Rather, it will apply to any organization in the world that processes EU residents’ personal data.
The GDPR is ambitious, complex, and strict – with heavy penalties for organizations that fail to meet its requirements – so if you haven’t already put in place the correct measures, you should get started now.
Here are just some of the reasons you should be acting sooner rather than later:
It’s the law
The GDPR is a law and your organization is expected to be fully compliant before the May 25, 2018 deadline.
You can face heavy fines and penalties
The GDPR has a tiered structure of penalties. For instance, a company can be fined up to €10 million (approximately $10.90 million) or 2% of its global annual turnover for not having its records in order (Article 28), failing to notify the supervisory authority and data subject about a breach (Articles 31 and 32), or not conducting data protection impact assessments (DPIAs) (Article 33).
Violations of basic principles related to data security (Article 5) and conditions of consumer consent (Article 7) can merit a fine of €20 million (approximately $21.3 million) or 4% of the company’s annual turnover.
You can be sued
Individuals will have the right to seek judicial remedies against controllers and processors. They will also have the right to obtain compensation from controllers or processors for damages arising from breaches of the GDPR.
The Regulation is complicated
All organizations will have to make changes – in policy, processes, and contracts, as well as in technical and organizational compliance measures.
In other words: You will need to change the way you deal with your customers, partners, and key stakeholders.
You will need appropriate technical and organizational controls
Article 24 states that data controllers must implement “appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the Regulation.”
This is fine if you’re already compliant with ISO 27001, but if you only have basic information security in place, you will have a lot to do in a short period of time.
You will need to conduct data protection impact assessments
DPIAs will be mandatory for organizations with technologies and processes that are likely to result in a high risk to the rights of the data subjects.
Data breaches must be reported
As Article 33 states, it will be mandatory for organizations to report any data breach to their supervisory authority within 72 hours of becoming aware of it. To meet this requirement, US organizations will need to designate a representative in the EU, who must report to the supervisory authority of the country they are based in.
Organizations will also need to put in place incident response and breach reporting processes, which will need to include continual testing and maintenance.
There are new rules about transferring data to countries outside the EU/EEA
The GDPR creates a number of key practical implications for organizations transferring EU residents’ personal data outside the European Union. This is a complex issue, so IT Governance is covering it in depth as part of our GDPR webinar series.
Convinced that you need to get started?
If we’ve convinced you to get started immediately, you should consider enrolling in IT Governance’s Certified EU General Data Protection Regulation Foundation (GDPR) Online Training Course. It’s delivered in a Live Online format that will save you the time and cost of attending a classroom course.
Better still – it takes just one day to complete and is next running Tuesday, May 23.