In just 94 days, the much talked about General Data Protection Rule will be implemented. The big question to every organisation is, are you GDPR ready? Since the announcement of GDPR compliance, there has been a lot of confusion as to what it means and what will happen when it is implemented in May this year.
The confusion has brought concern to businesses and questioned a hefty amount of large businesses as to whether they are GDPR ready, which a lot of FTSE 500 businesses are not. Despite the negative news around GDPR, a recent survey shone light on the matter with a positive spin.
EfficientIP carried out a study that revealed almost three quarters (74%) or businesses are ready for GDPR and know the GDPR compliance rules. For the remaining quarter, here are five must know facts about GDPR compliance and how you can prepare.
Mandatory Requirements
When the day finally descends on businesses, it will be mandatory that a Data Protection Officer (DPO) is appointed. GDPR does not measure the protection based on size of business, rather on the amount of data that is being processed. There will most definitely be substantial amounts of data being produced whether organisations are made up of ten or ten thousand workers. Therefore, the DPO role will be there to make sure personal data processes, systems and storage not only adhere to the laws but evidence is also available.
Other mandatory practices organisations must carry out are Privacy Impact Assessments (PIAs). These will be necessary if and when the risk of a privacy breach is high; therefore data controllers are required to carry out a PIA to outline the effect this could have. The DPO of the company will need to ensure PIAs are carried out throughout various projects.
Data Breach Notification
If a data breach occurs within an organisation, it must be reported to the information commissioner’s office (ICO) within 72 hours. The discovery of a data breach is not the only thing to know about data breaches within GDPR compliance. Organisations will also be expected to have the necessary processes, and technology, in place to detect breaches before they even happen.
The implementation of technology and processes to detect breaches will be required and organisations will need to invest in both system changes and staff changes. Data processors will be required to notify their customers “without undue delay” after first becoming aware of the breach. This aims to ensure organisations are fully GDPR compliant, meaning they will not face absurd penalties and are protecting their customers.
Penalties
The biggest change that GDPR Compliance brings is the possibility of businesses facing hefty penalties. If an organisation is in breach of GDPR then they could face a penalty worth 4% of annual global turnover, or €20m, whichever is greater.
Organisations can be charged the maximum fine in the most serious cases, for example not having sufficient customer consent to process the data. However, the penalties are based on a tiered approach. Therefore, organisations can be fined another amount such as 2% for not having data in order or not notifying the ICO about a breach.
It may seem drastic to some, but with the number of data breaches that have hit the UK and the rest of the world it is imperative that user data is protected. Therefore, as businesses have had enough relayed regarding GDPR compliance there will be no first warnings.
Control
The controller of data is no longer the organisation under GDPR, instead the individual. It is a must know and carried out element of GDPR. The subject of the data has complete control for the data to be erased from databases under certain conditions. Additionally, GDPR requires organisations to remove any data that is no longer necessary to them.
GDPR compliance makes the power of right to access and right to be forgotten to be set into the hands of data subjects. Those subjects can choose whether or not their data is processed and held, or whether it is deleted. This is an important element of GDPR Compliance because if organisations do not follow the right to be forgotten rule it can cause serious problems for businesses.
– FTSE 500 companies still not GDPR ready
– GDPR fines can prove hefty
Organisations must also have technology in place that can carry out the task of deleting data as and when it is necessary. If this is not in place then businesses run the risk of being in breach of GDPR, building up a hefty fine for no reason.
Brexit Effect
The UK leaving the EU and finalising Brexit terms will have no impact on GDPR compliance. The regulation has the same expectations from every organisation around the world, meaning that compliance is the same when it comes to laws regarding how to handle user data.
Brexit is not an exit from GDPR compliance, as the regulations will be expected of every company across the globe. The regulation protects citizens located in the EU, regardless of their citizenship and for any organisation to have a presence in the EU they must adhere to the regulations.