While it’s been a long time coming, the final approval and deadline for compliance with the new EU General Data Protection Regulation (GDPR) is a game changer with respect to the way organisations store, process and transfer personal information. It will also have significant impact on any company outside the EU that does business with EU residents. This includes just about every larger e-commerce operation worldwide!
The EU GDPR is ambitious, complex and strict.
Don’t wait until 2018 – Get Started Now
We’ve launched our new Certified EU General Data Protection Regulation Foundation (GDPR) Online training course this week. Putting the excitement of a training services marketing manager (that’s me) aside, it’s worth taking a few minutes to explain just a few reasons why you should not wait until the GDPR compliance deadline of the 25th May 2018.
It’s the law
GDPR is a law and your organisation is expected to be fully complaint before the deadline.
Fines and penalties
The GDPR has a tiered structure of fines – for instance, a company can be fined up to 2% of turnover for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach (Articles 31, 32), or not conducting impact assessments (Article 33). Violations of basic principles related to data security (Article 5) and conditions for consumer consent (Article 7) can merit a 4% fine.
You can be sued
Data subjects will have the right to seek judicial remedies against controllers and processors, as well as the right to obtain compensation from controllers or processors for damages arising from breaches of the GDPR.
All organisations will have changes to make: in policy, processes and contracts, as well as in technical and organisational compliance measures. Or, in simpler terms, you will need to change the way you deal with your customers, partners and key stakeholders.
You will need appropriate technical and organisational controls
Article 24 says that data controllers must implement “appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the Regulation.” This is fine if you are already compliant with ISO 27001, but if you only have the basics of information security in place, you will have much to do in a short period of time. And, of course, you will need to document every one of these processes.
Data protection impact assessments
These will be mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights of the data subjects.
Data breaches must be reported
It will be mandatory (Article 33) for an organisation to report any data breach to its supervisory authority (data protection authority, or DPA) within 72 hours of becoming aware of it. Organisations also need to put in place incident response and breach reporting processes, which will need to include continual testing and maintenance.
If you’re convinced that you need to get started immediately, I recommend that you attend our next session of the Certified EU General Data Protection Regulation Foundation (GDPR) Online training course. It’s delivered in a Live Online format that will save you the time and cost of attending a classroom course.
Better still – it takes just one day and is next running on Tuesday, 28 June.