As the deadline for compliance with the incoming General Data Protection Regulation approaches, many businesses have not yet implemented a strategic plan of action. According to a survey made by UK firm Blake Morgan, nine out of ten businesses are still not ready as only 10% of companies have updated their privacy policies to comply with the new law. The strict level of compliance demanded by the EU in terms of data governance, regulatory compliance and information security must be adhered to by businesses if they want to avoid fines and other sanctions.
“There appears to be a genuine confusion among many business leaders about what the new law means and how to achieve full compliance,” Stressed Simon Stokes, a partner at Blake Morgan. The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulations in 20 years. The GDPR was approved by the EU Parliament on April 14th 2016 and following a two-year transition period, is set to come into force on on May 25th, 2018. This new regulation will not only affect EU-based organizations, but also data controllers and processors around the globe.
The regulation applies not only to organizations located within the EU but also to organizations located outside of the EU that offer goods or services in the bloc and those that process or hold personal data in the European Union. According to the www.eugdpr.org what constitutes personal data is “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
Public authorities, organizations that engage in large scale systematic monitoring, and organizations that engage in large scale processing of sensitive personal data will need to appoint a DPO, (Data Protection Officer) meaning they will need more time organize their compliance program and how to approach the upcoming regulation.
Companies that do not take into account the deadline will face heavy fines and sanctions as reported in Legal News and Guidance by Pinsent Masons.
To make sure your business is on track to meet the 2018 deadline you should:
1. Determine your role under the GDPR.
2. Appoint your data protection officer.
3. Demonstrate accountability in all processing activities.
4. Check your cross-border data flows.
5. Prepare for data subjects exercising their rights.
Specific questions particular to each may arise industry, but regardless, the GDPR will become fully enforceable next May 25th.