The important agenda for any corporate this year will be making sure their company is compliant with Europe’s General Data Protection Regulation (GDPR) by before its enforcement in May 2018. We have a brief idea about GDPR through our previous article.
At many companies, there is a separate compliance team responsible for complying with rules and regulations on time. The EU views data privacy as a human-rights issue. Hence, the firms have already had a two-year gap before the May’18 deadline next year. Thus, the authorities will be on the lookout for egregious cases of non-compliance.
Yet, many companies are not yet ready for the legislation. It applies to any company that processes the personal data of EU residents. More recently, however, a survey of 2,500 senior executives in the US, Europe, the Middle East, Africa, and Asia Pacific regions, showed that 54% of companies have not “advanced their GDPR readiness.”
Cost of non-compliance is always more than expected. It involves a financial cost as well as reputational cost. Under these rules, penalties can be 2% of global revenue or €10 million, whichever is bigger. At the upper end, fines go to 4% of global revenue or €20 million, whichever is bigger..
Appoint a data protection officer:
The regulation requires a data protection officer. All public authorities and controllers or processors whose activities involve “regular and systematic monitoring of data subjects on a large scale,” as well as entities that conduct major processing of “special categories of personal data” must appoint a DPO.
They have not specified the precise credentials of a DPO. Yet, it requires the executive to have “expert knowledge of data protection law and practice.” Also, the DPO must report to upper management, have access to the organization’s personal data and processing operations, and, crucially, be independent.
This requirement is open ended and flexible. The EU clarified in its final guidelines that while only one DPO can have a full fledged team. The DPO should be located in the EU unless an organization “has no establishment within the European Union.”
Privacy impact assessments:
It is a regulated process which helps the organization to assess the privacy risks of the organization at large. It also aims at suggesting mitigation steps. The process should be broken down into five steps: project intake, risk triage, impact assessment, control selection and monitoring.
Create a Data Register
Documentation is always essential. Once one has a clear idea of their readiness to meet the regulatory requirements, they need to keep a record of the process. Thus, one should maintain a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of every country will be responsible for enforcing GDPR.
DPA will judge whether a business has been compliant when determining any potential penalties for a breach. Should a breach occur during the early stage of implementation, the business should be able to show the DPA its progress towards compliance through its Data Register.
Some parts of the GDPR will have more of an impact on some organisations than on others (for example, the provisions relating to profiling or children’s data), so it would be useful to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process.
Add to favorites