By now, any company that does business in the EU is aware of the General Data Protection Regulation (GDPR) impacting all companies that handle personal data of EU citizens in the context of selling goods and services, even if the business is located outside of Europe. This is commonly viewed as the most strict data security framework in the world by compliance experts. As the May 25, 2018 deadline for GDPR compliance approaches, many customers are unsure where to begin.
How Will the GDPR Impact My Business?
The purpose of GDPR is to strengthen digital rights of individuals in response to the trends of a continued explosion of electronic Personally Identifiable Information (PII) stored by organizations across the globe. The standards are designed to be global standards allowing non-European companies to comply. The new regulation is a strict data protection regime requiring the organizations in scope to invest and plan far in advance.
Organizations found not in compliance face fines up to $20M Euro (about $23M US) or 4% of global turnover, whichever is higher. Unlike previous privacy regulations, the GCPR will be enforced immediately with no grace period.
What Is Included in GDPR?
The regulation itself is a 261 page document organized primarily into two types of information: 173 “Recitals” are statements describing what the regulation is attempting to achieve, and 99 “Article” sections include the more of the precise rules.
Two key organization definitions are outlined in the regulation:
- Data Controller - Organizations that have relationships with Data Subjects and processes their personal data
- Data Processor - Third parties that work for a Data Controller that processes personal data on its behalf
Here are some key points to consider in the regulation:
- Giving and withdrawing consent for personal data use must be as easy to withdraw as it is to give. Companies must use clear terms without excessive legalese in their terms and conditions.
- In the event of a data breach, data processors have to notify their controllers and customers within 72 hours.
- Data subjects (someone whose personal data an organization has) have the right to obtain their information from data controllers (organizations) for free within 1 month of the request.
- If data is no longer relevant, data subjects can request data controllers to erase their personal data.
- Data protection must be built into the design of new systems from the onset.
- Organizations with more than 250 employees are required to appoint professionally qualified officers.
5 Steps to Prepare for GDPR Compliance
These new regulations impact companies by putting new demands on data handling. With less than a year left to comply, and considering the magnitude of technology, security policy, and third-party contract changes that need to occur, many customers are daunted by their compliance journey ahead. Here are some important steps your organization should be taking now to prepare:
- Engage company policy makers, legal and executives now to ensure there is already a plan and timeline in place for meeting the compliance deadline.
- Document all data processing activities surrounding the related PII.
- Assess risk using the PIA (Privacy Impact Analysis) approach to analyze the impact on the freedom of data subjects.
- Identify key partners and review third-party contracts.
- Appoint a DPO (Data Protection Officer) if over 250+ employees.
To help simplify your GDPR efforts, consider Microsoft 365 – a new Microsoft platform that combines Office 365, Windows 10, and Enterprise Mobility + Security. Among a wide range of security and productivity solutions, Microsoft 365 helps customers in the ongoing compliance with new standards such as GDPR.
If your organization handles PII of EU citizens, the EU is making you accountable. Contact BDO Digital today to learn more about the technology helping organizations become GDPR compliant and the steps you should start taking now to prepare for the GDPR enforcement date of May 25, 2018.