×

Non-compliance Is Not an Option: Important Things to Know About the GDPR

By now all companies, both within the EU and on the outside, should be more than aware of the impending EU General Data Protection Regulation (GDPR) and how its implementation will affect businesses globally. Those who think the ruling doesn't apply to them should probably think again. Todd Ruback (pictured below), chief privacy officer, Ghostery takes ExchangeWire back to basics and tells businesses they must not panic, but they must understand how the law applies to them and prepare accordingly.

The important things to know about the GDPR

August is a time of lazy distraction, and with the Olympics and neverending drama of the US Presidential campaigns, distractions abound. These temptations aside, however, businesses worldwide need to start thinking about the EU’s impressive General Data Protection Regulation, or GDPR. Not only will it have a meaningful impact upon most companies in many ways that go beyond mere compliance, but it will require organisations to take a hard look at themselves and undertake the difficult task of understanding each process to determine how it impacts the privacy of their customers and employees.

The GDPR, while appearing complex, has a simple goal, namely to give control of personal data back to the individual. Remember that, and you are halfway home, but the devil is in the detail of course and establishing a transparent way to achieve this goal will prove to be a challenge for many. This is why it’s important to start thinking about the GDPR now and budget for the upcoming internal process changes that will need to occur throughout 2017.

In order to give control over personal data back to the individual, the GDPR imbues new individual rights that businesses must honour; and the bridge between the individual rights and corporate obligations is 'notice and consent'. That’s right, this big bad monster of a law is simply a 'notice and consent' regime. That’s pretty much the whole thing. However, here are some of the basics that businesses should think about.

Consent

Todd Ruback | Ghostery

Todd Ruback, Chief Privacy Officer, Ghostery

Notice and consent of your company’s data practices will need to be front and centre. Lawyer-speak buried in a website’s terms of use at the footer of a page that says use of the website or app constitutes consent to your company’s data practices simply won’t pass muster. Rather, companies will have to give prominent notice that takes a person to the place in the new privacy policy that clearly explains their new rights and ways to exercise them.

Application

The GDPR isn’t limited to European companies. Instead, this law has an expanded territorial reach and will apply to all companies that are selling goods or services to EU citizens. In practice, that means if you sell something to an EU citizen, even if you are based in Wyoming, then the GDPR kicks in.

Accountability

Companies have to be accountable for their actions, meaning they have to be able to demonstrate compliance. This may come in the form of reports and documentation, and also in the annual obligation to perform an internal data protection assessment to help determine if there is anything risky from a privacy perspective happening to its consumers. Other new accountability requirements include creating a data breach notification process to let data protection authorities know when a breach has occurred within 72 hours after a high-risk incident. This is a big deal. We can anticipate a significant increase in new internal compliance costs for most companies, something that may strain some industries with already thin profit margins.

Effective date

The GDPR takes effect on 25 May, 2018, which may sound like a lot of time, but it isn’t. Remember that by this date you need to be in full compliance and there will need to be a lot of internal process change and testing before you can flip the switch.

Fines

To comply, or not to comply, that is the question. As you ponder this philosophical dilemma, consider the potential fines for non-compliance. There are two levels of potential fines, the first allow local Data Protection Authorities to impose fines up to the greater of €10m (£8.66m) or 2% of your annual worldwide turnover (gross revenue) for specified infringements. The second tier of fines is for the greater of €20m (£17.3m) or 4% of your annual worldwide turnover for more egregious transgressions, such as failure to obtain the required consent or improper international data transfers. Ouch. At these levels, the fines can be crippling.

Next steps

Now that the general landscape is visible, what should you do to prepare? The first thing is to NOT panic. While the clock is indeed ticking, there is still plenty of time. The initial thing, however, is to know that the GDPR is coming sure and steady. In concrete terms, though, it’s not too early to begin an internal analysis of what work flows will be impacted by the GDPR through a gap analysis that baselines your existing processes against where you will need to be. This will give you objective data points to work against so you can get 2017 budgets and build a cogent project plan that includes implementing, testing, and maintains GDPR-compliant controls. This will all take time, effort and money, but it needs to be done. The downside is simply too great.