EU GDPR Data Protection Regulations ‒ Four Ways to Manage the Risks
Are you ready for the GDPR? This new EU data protection regulation poses new risks for organization of all shapes and sizes.
Time is running out to get in shape for the European Union’s new General Data Protection Regulation (GDPR), but many organizations are only just beginning to understand what this new EU data protection regulation will mean for them. The GDPR comes into force on 28 May 2018 across all 28 member states of the EU – including the UK, despite its intention to leave – but recent research suggests more than a third of organizations still aren’t clear on what they must do to comply.
The good news is many organizations are now picking up the pace. For example, a survey of IT decision-makers found that 65% now consider security to be their biggest investment priority for 2018, mostly because of GDPR. Nevertheless, the new EU data protection regulation is far-reaching and organizations just starting out on their compliance journey have a long way to travel.
The basics of the GDPR include:
- The need for explicit consents – organizations will have to obtain explicit consent for every different use of personal data. Customers must give this consent freely and on the basis they have been fully informed about the nature of each type of data usage.
- New rules on data processing – customers will have the right to object to having data about them processed unless the organization has compelling and legitimate reasons for doing it. Customers will always have the right to object to data processing done for direct marketing purposes.
- The right to be forgotten – customers will be entitled to ask organizations to delete their personal data where it is no longer required for its original purpose.
- Privacy by design – organizations will be required to minimize the collection and use of personal data. They must do this automatically as they design new products and services.
- Guaranteed portability – customers will be entitled to request that their personal data is transferred from one organization to another on their behalf when they switch companies.
- Limits on international data transfers – organizations will have to follow much stricter rules about sending data outside of the European Union, including to IT providers based elsewhere.
- The need for data protection officers – most organizations will need to designate a data protection officer whose responsibility it will be to systematically monitor the way the firm processes personal data.
- Tougher data breach deadlines – organizations will have just 72 hours to notify supervisory authorities that they have been subject to a personal data breach.
The new EU data protection regulation therefore poses some important risks for organizations. Most obviously, there is the risk of a compliance failure – aside from the substantial reputational damage this could cause, there is also the threat of a direct and significant financial consequences. Regulators will have the power to fine organizations up to €20m or 4% of their worldwide annual turnover (whichever is higher) for the most serious breaches.
Equally, many organizations are now securing substantial value from the data they hold on customers. Revenues may be at risk if they are unable to monetize their data while remaining GDPR compliant.
Another potential risk concerns Brexit. As the relationship between the UK and the EU changes when the UK leaves the group, some provisions of the GDPR may come into play while others are no longer relevant. For example, EU-based organizations may no longer be able to transfer data to business units or subsidiaries based in the UK.
How, then, to manage the risks of GDPR in order to overcome the challenges that lie ahead?
Four basic principles will help you manage the risks of GDPR:
- Invest time and resources in data governance. Prepare your data and the processes you used to gather, store, manage and use it. Designate a data protection officer to manage your data governance.
- Develop technology infrastructure so it gives “protection by design”. Your data and analytics tools, technologies and systems should be controlled and compliant with your overarching goals, including GDPR compliance.
- Improve data security practices – focus on ideas such as privacy, proper use of data, consent and notification in every area of your organization.
- Build a GDPR team or appoint champions to lead the organization’s response to the new EU data protection regulation. This team’s job will not only be to manage the transition to GDPR but also to drive a compliance culture throughout the organization, through regular communication and appropriate training for all employees.
- The GDPR is a fundamental shake-up of EU data protection regulation that will apply to all organizations operating in the EU
- The GDPR comes into effect in May 2018, by which time all organizations must be compliant
- The GDPR exposes organizations to considerable risk, including lost revenue where data can no longer be monetized, and the potential for fines of up to 4% of global annual turnover for breaches of the regulation
- All organizations must take action now to ensure they are managing the risks posed by the GDPR effectively
Don’t be caught off guard by new legislation. Download The Risk Management Handbook: Supporting a Quality Culture Across Your Business