We’re only three months into the new year, but 2018 will be here before we know it. And in less than 15 months, businesses around the globe will need to be compliant with the European Union’s General Data Protection Regulation (GDPR).
The new data directive was approved by parliament in 2016 and will take effect in May of 2018. Replacing the 1995 Data Protection Directive, the regulation outlines data privacy guidelines and introduces a number of new policies on information security.
Failure to comply with the regulation could result in expensive fines, and businesses will need to amp up their security management systems to meet requirements. Despite the consequences associated with non-compliance, a recent study shows more than half of businesses aren’t adequately prepared for the changes.
GDPR will implement many changes in regard to the handling and distribution of sensitive consumer information. Namely, the regulation will establish new rules in relation to consumer consent, breach response and data privacy. Here’s what you need to know.
GDPR Reaches Beyond Europe
One key aspect of the new regulation is its far-reaching jurisdiction. The GDPR will apply to all organizations in the European Union as well as companies outside of the E.U. that process data in Europe. Companies handling data for consumers in the E.U. must abide by the new rule, no matter where they are located in the world.
The GDPR will make it mandatory for companies to report a data breach to a data protection authority within 72 hours of the leak being discovered. Those affected need to be notified “without undue delay,” according to the GDPR website.
Data breach notifications under the GDPR must describe the nature of the breach, provide contact details for a data protection officer and outline steps being taken to fix the problem.
Non-Compliance: A Costly Mistake
Companies that fail to comply with the GDPR will pay the price. Those found not to be in compliance can be fined up to four percent of their annual global turnover or €20 million, whichever amount is greater. Fine amounts will depend on what aspects of the regulation have been violated.
Reasons an organization can be fined for non-compliance include not properly organizing data records, not notifying the appropriate body/consumers of a data breach and failure to conduct an impact assessment.
The GDPA aims to give individuals more control over their data and how it’s handled and processed. For this reason, the regulation makes individual consent an important aspect of the new rule. The regulation makes clear that any consent agreements related to data management should be provided to consumers in a clear and understandable format, eliminating ambiguous language.
Making Sure You’re Ready
It’s important for organizations to familiarize themselves with the proposed GDPR rules and create a plan of action going forward.
Ensuring all organizational stakeholders have access to the proposed rules and understand the GDPR’s purpose is the first step in creating a plan to abide by the new legislation.