The GDPR is Coming. What Does It Mean for My Organization?
Over the past few years, we have witnessed significant changes in the regulatory landscape for manufacturers doing business in Europe. One of the biggest changes concerns the implementation of the General Data Protection Regulation (GDPR), which will come into effect on May 25, 2018. The GDPR represents the most dramatic shift in European data protection law in over 20 years. The new requirements have global reach and widespread impact across any organization. It will affect companies with EU operations, as well as companies that process the personal data of EU citizens when offering them goods and services or monitor behavior occurring in the EU.
Where did GDPR come from and why does it exist?
First and foremost, it’s important to note that Europeans view the protection of personal data as a fundamental right. This aspect of European culture arose partly in response to the events of WWII. Subsequent legislation has further embedded data protection as a part of their culture. In 1995, the EU established the Data Protection Directive to protect the transfer of personal data outside of the EU. Five years later, it developed the Safe Harbor Framework to protect the transfer of personal data specifically between the EU and U.S. The Privacy Shield went into effect in 2016 as a result of the Safe Harbor Framework being invalidated in 2015. The Privacy Shield is an aspect of the GDPR.
The GDPR was developed to address the rapid changes in new technology, data types, and data flows that have emerged since the establishment of data protection regulation for EU citizens over twenty years ago. It aims to harmonize data protection regulation across the EU. Its expanded scope aims to protect its citizens as employees or customers of companies that operate or offer goods and services to EU citizens.
Many GDPR data protection principles are essentially the same as those previously established under the Data Protection Directive and include:
- Fair, lawful, and transparent processing
- Purpose limitation
- Data minimization
- Data retention periods
- Data security
New GDPR requirements include:
- Companies must get affirmative consent to process personal data
- Companies must have procedures in place so that individuals are able to:
- Access the data maintained about them
- Correct inaccuracies in the data
- Erase their data on request
- Prevent direct marketing
- Prevent automated decision-making and profiling
- Obtain their data in a portable format
- Companies must perform a Data Protection Impact Assessment (DPIA) before data processing begins
- Companies must implement data security incident notifications
- Companies must have a Data Protection Officer (DPO)
Penalties for breach of GDPR are significant, up to 4% annual turnover or €20 million whichever is greater.
How do I prepare?
Before you begin, keep in mind that becoming fully compliant will take time, resources, and people. It may take large organizations a year or more to attain compliance with the GDPR’s standards. MAPI Ethics & Compliance Council member company recently shared their journey preparing for the implementation of GDPR at the fall 2017 council meeting and has allotted themselves a little over a year and a half to prepare. Additionally, preparing to comply could cause business disruption and be costly. Gartner expects spending on information security will reach $93 billion in 2018, and a key factor contributing to this increase is the GDPR.
Consider hiring an external company to help you. In a recent poll of our Information Systems Management Council, 37.5% of responding members who were aware of the regulation hired an external company to guide them through the process.
Even if you hire an external party, key functions like IT, legal, marketing, audit, and HR will need to be involved in the process of preparing for and maintaining compliance with the GDPR.