GDPR is coming to a project near you soon and you best be prepared. Introduced in April 2016, the General Data Protection Regulation (GDPR) will have a major impact on companies around the world.
Although GDPR was introduced by the EU two years ago, it becomes enforceable on May 25, 2018, and most businesses are woefully unprepared.
Even companies that aren’t based in the EU stand to be impacted. If your company processes the personal data of EU citizens or residents then GDPR applies to you, regardless of your location. As a result, almost every major company, business, and media group is affected.
Everything we do, whether or not it’s in our personal or professional lives, revolves around data, and the stated aim of GDPR is to give citizens back control of their data and personal information.
It prescribes how personal data should be processed, stored, transferred and so on. It’s based on pre-existing legislation in several EU countries and was designed to streamline data protection across Europe.
The main issue many companies have with GDPR is that while it mandates consumers’ data must be reasonably protected, it doesn’t define what the term ‘reasonable’ specifically means. This data can include identity data, health records, web information, biometric data, race and sexuality and political beliefs.
Know Your Company, Know Your Role
Larger companies will have to reserve more time to implement GDPR than smaller ones. In particular, companies need to consider which role they fulfill under GDPR — whether the company is a data controller or data processor.
A data controller is an individual or entity that decides how data will be used and for what purpose, whereas a data processor is an individual or entity responsible for processing (adapting, recording, holding or obtaining) personal data.
Initially, it takes less time to prepare for GDPR for companies that act as processors as they only process data on behalf of the controller, and in the end, the controller is mostly responsible for troubles involving personal data. However, the processor shares the controller’s responsibility to the extent of how the data was processed.
For example, if there is a case involving data leakage or fraud, the processor will be responsible if this data was processed in a manner that does not adhere to GDPR, but the controller will be liable for the case itself by delegating the transferal of the data to the non-compliant processor.
Are You Ready for GDPR?
The cost of GDPR implementation depends on the size of your company and the complexity of your internal system. For example, if you already have team members who have technical expertise, you most likely won’t need to hire new staff.
A major requirement of GDPR is the assignment of a Data Protection Officer. This officer doesn’t have to be new, it can be any existing employee with enough expertise to handle data.
Implementation will cost larger companies more. According to one PwC survey, 68 percent of companies based in the United States expect to spend between $1 million and $10 million on GDPR. The true cost will depend primarily on your pre-existing system and focus on data.
Bear in mind there are currently no qualified certification agencies for GDPR, but there are numerous companies who do offer such services. These certificates do not in any way guarantee GDPR compliance and you should wait until after May 25, 2018, before seeking such certificates.
If you fail to fully implement GDPR, there will be consequences, but they won’t occur immediately after May 25, 2018.
It is technically possible to do without GDPR compliance (although I strongly recommend against this), however, GDPR also mandates that an inspection process will be carried out by the European Commission.
If your company is subject to an inspection and it is found to not be in compliance with GDPR, the penalties can be severe. Up to 20 million Euros, or 4 percent of annual world revenue (whichever is higher), can be levied for non-compliance.
Your company will be far better off implementing GDPR as soon as possible. Not only will this remove any possible legal ramifications, but it will also make your company more attractive as a business as compliance is an outstanding asset for existing and potential customers in Europe, giving you a distinct advantage.
Don’t get left behind. Failing to implement GDPR could have a catastrophic impact on your business. Make sure you implement the actions listed above, study the legislation and ensure that every aspect of your business is covered.
It might seem overwhelming, but implementing GDPR needn’t be too painful. Good luck!
Photo via Shutterstock