Significant fines, corrective measures, and reputational damage—these are all real consequences that your company could face if it is not compliant with the European Union’s General Data Protection Regulation (GDPR). Although in effect since 2016, the post-adoption grace period officially ended on May 25, 2018. Despite the hefty penalties, Gartner predicts that by the end of 2018, more than 50 percent of companies affected by GDPR will still not be in full compliance with its requirements.1 If your company is not yet compliant, you may see GDPR as a burden. However, investing in GDPR compliance does not have to be just about avoiding penalties—it also provides real opportunities for your company to gain a competitive edge by creating a solid foundation for data management.
GDPR is a legal framework that governs the collection and processing of personal information of individuals within the European Union (EU). Its aim is to protect the personal data of EU citizens and provide them with the necessary rights to manage their personal data. While GDPR protects the rights of EU citizens, compliance is not limited to organizations within its borders. Regardless of location, U.S. companies must comply with GDPR if they process personal data of EU citizens and visitors in any capacity.
Not only do U.S. companies need to navigate GDPR, but they also need to prepare for forthcoming U.S. data privacy laws. Following the GDPR trend, California passed a significant data privacy law in late June that gives consumers unprecedented control over their personal data.2 Under this new law, consumers have the right to know what information is being collected about them, why it is being collected, and with whom it is being shared. Businesses must also delete personal information and agree not to sell or share data upon the request of a consumer while providing them with the same level of service. The state’s Attorney General will have more authority to fine businesses that are not compliant with these new regulations. The law, which goes into effect in January 2020, is arguably the most comprehensive data privacy law in U.S. history, and it will most likely not be the last. It is only a matter of time before more states introduce data privacy laws—businesses that start the GDPR compliance process now will be ahead of the data privacy game.
To get ahead of the curve, it is critical to know how GDPR requirements impact your business operations. The European Commission identified these five key changes under GDPR3.
Companies must communicate their privacy policies in clear, simple terms.
Individuals must give explicit consent for a business to use their personal data; silence does not indicate this consent.
Citizens have stronger rights regarding their personal data. They can move their data from one business to another, access a copy of their data that has been collected by a business, and have a “right to be forgotten,” meaning companies must delete a citizen’s personal data if requested. Companies also now have a responsibility to inform citizens immediately in the event of a harmful data breach.
Organizations must be more transparent regarding the purpose and use of collected data. Businesses are obligated to notify citizens if their data is transferred outside of the EU, clearly inform them of the purpose(s) for collecting and processing data, and disclose if any algorithms are used to make an automated decision based on user data (e.g., a loan application), and also provide them an opportunity to contest the decision.
Organizations face stronger penalties and fines for non-compliance. Each of the 28 EU member countries has a data protection authority (DPA) that provides guidance on and interpretation of GDPR regulations. Together, these authorities comprise the European Data Protection Board, which can make binding decisions in the event that several EU countries are involved in a compliance issue, ensuring that GDPR is enforced uniformly across the EU. If a business violates GDPR, DPAs can impose fines up to 20 million Euro or four percent of a company’s revenue, as well as corrective measures, such as ordering a business to stop processing personal data. Less measurable, but no less important, is the damage to a company’s reputation after breaching GDPR.
Reading these requirements and penalties can be overwhelming, however, there are steps that all IT leaders involved in security, risk, and privacy management can take to ease their path to compliance:
Appoint a data protection officer (DPO)
Create a task force to address the challenges the organization faces under GDPR
Review personal data processing operations for subject rights enforcement and cross-border data flow compliance, including adequate data processor selection
Establish and maintain an internal framework for accountability, including mitigation of risk resulting from the data processing activity
Strengthen transparency by instituting comprehensive central business registration and documentation of data processing activities
Seek legal advice, where necessary, in the pursuit of risk-based timely compliance decisions
By engaging a trusted partner with demonstrated experience in regulatory compliance, your company will benefit from experienced professionals who can guide you through these steps, ensuring you are not at risk of penalties while also creating a solid foundation for data management.
For more than 15 years, CTG has been a market leader in IT-related validation services, and our suite of GDPR Compliance Services is designed to address both short and long-term client needs. From a compliance assessment resulting in a remediation roadmap to a customized implementation solution, our highly configurable approach meets you where you are in the compliance process and leverages the 13-step approach defined and promoted by the Belgian Supervisory Authority.
CTG also offers Data Protection Officers (DPO) to get your compliance on track and assume DPO responsibilities based on your unique needs. In addition, we provide state-of-the-art data security technology, such as encryption and privacy office automation, to optimize your organization's privacy processes.
Data privacy is a growing global trend, evidenced by GDPR as well as California’s privacy legislation. Those companies at the forefront of addressing data compliance will have a leg up on the rest of the market as these new laws evolve and multiply, while those with a “wait and see” approach will likely be playing a costly game of catch-up to avoid significant penalties.
To learn more about how CTG can help your organization meet its GDPR compliance needs and gain a competitive advantage, drop us a note below or read more about all of our Regulatory Compliance Solutions.