According to CSO, companies that collect data on citizens in European Union (EU) countries will need to comply with new rules on protecting customer data by May 25, 2018. These rules, called the General Data Protection Regulation (GDPR), will set new standards for protecting consumers’ data.
The GDPR was adopted by European Parliament in April 2016, replacing data regulations instituted in 1995. GDPR “carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.”
The challenge with GDPR, CSO reports, is that its rules will leave “much to interpretation:” “It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes ‘reasonable.’” This gives GDPR representatives plenty of leeway for assessing fines for breaches and noncompliance.
CSO says that fines for companies that are not compliant with GDPR can cost up to €20 million, or $24 million, or four percent of global annual turnover – whichever is higher. CSO also pointed to a report by Ovum stated that 52 percent of companies believe they will be fined for non-compliance.
The companies that will be affected by the GDPR include those with a presence in EU countries, companies that are located outside of the EU but that do business in it, has more than 250 employees, or has fewer than 250 employees but its data-processing impact individuals’ personal data. According to CSO, this “effectively means almost all companies.”
What decision makers need to know:
Even though the pressure to get a company compliant with GDPR by the May 25 deadline seems daunting, CSO outlines steps that can be made to speed up the process:
- Increase compliance awareness with company leaders, and develop a sense of urgency
- Involve all stakeholders – Decision makers might consider initiating a taskforce that “includes marketing, finance, sales, operations—any group within the organization that collects, analyzes, or otherwise makes use of customers’ [personal information].” CSO says that a task force can more effectively share information that can help with implementing necessary compliance procedures, and better prepare the company as a whole.
- Conduct risk assessment, which includes exploring where all personal data is being stored within the company, and how; this even includes data stored on mobile devices. Missing any data increases the risk of noncompliance, CSO says.
- Hire a data protection officer (DPO), or someone who works part time, or even a consultant (virtual DPO).
- Create a data protection plan to mitigate risk, and report your compliance progress. This also includes testing incident response plans, and setting up ongoing assessment to ensure compliance consistency, and ongoing success for the business.