On May 25, 2018, the European Union’s (EU) Data Protection Regulation (GDPR) will require businesses around the world transacting business within the EU to protect the personal data and privacy of EU citizens.
Adopted in 2016, businesses now have less than three months until they must be prepared to comply with the strict new rules. Many have found it challenging to implement the necessary systems and processes to manage the immense amounts of data collected, track it from creation to destruction and manage the storage of such data according to specific criteria in between.
The third biennial Ernst & Young 2018 Global Forensic Data Analytics Surveyasked several questions with respect to readiness for the GDPR. Respondents indicated only 33% have an established plan for GDPR compliance, with another 39% signifying they are unfamiliar with the GDPR. While Europeans naturally are more aware and prepared with 60% having a GDPR compliance plan in place — other regions have more work to do: Africa and the Middle East (27%), the Americas (13%) and Asia-Pacific (12%). Despite this lack of preparedness, however, respondents rank data protection and privacy risks as a top concern as they watch their overall risk profiles continue to expand.
REUTERS/Tobias Schwarz (GERMANY)
Outlined below are five key reasons organizations are so worried about GDPR compliance.
- New requirements
The GDPR focuses on accountability, transparency and governance to minimize the risk of breaches and uphold personal data protection by imposing new responsibilities on organizations. Not only must organizations carry out such charges, but they must adopt, test and maintain and be prepared to demonstrate such compliance to regulators.
- Specific processes
Many of these new requirements are specific processes organizations must adopt, with the intent that such measures will help structure and formalize certain areas to make compliance more efficient. The GDPR imposes concrete measures,
- The obligation to keep internal records of data protection activities;
- The requirement to notify regulators of data breaches without undue delay (organizations must report breaches to supervisory authorities within 72 hours) and document the underlying facts, effects and remedial action taken; and
- Appointing an official Data Protection Officer (required for some organizations).
3. Hefty fines and sanctions
Regulators are authorized to handle noncompliance with the GDPR in one of three ways:
- Issue a warning or impose a temporary or definitive ban on processing personal data;
- Impose a fine up to EUR 20,000,000 or 4 percent of the total worldwide turnover, depending on the circumstances of each individual case; or
- Both of the above.
With these provisions, the GDPR hopes to make the cost of compliance less than the cost of violations.
4. Vague requirements
The lingering uncertainty around the GDPR is one of the biggest impediments to compliance, with parts of it deliberately left vague. Undefined terms such as “undue delay,” “likelihood of (high) risk to rights and freedoms” and “disproportionate effort” will require further clarity by the courts or regulators, or time for specific market practices to develop. Similarly, the regulation offers no definition of what constitutes a “reasonable” level of protection for personal data, offering regulators significant flexibility in assessing fines for data breaches and noncompliance.
- Extraterritorial reach
Similarly, the GDPR’s definition of what personal identification information has a broad scope, requiring a high level of protection for a wide range of information. It also has an extensive reach, with many firms — particularly in the U.S. — not even aware they will be subject to the new EU regulations. The primary principle behind the GDPR is that it views personal data as the property of the individual, not data controllers or processors. It applies to all EU citizens wherever they may be situated and regardless of the organization’s location. Consequently, in today’s digital and global world, it’s almost impossible to avoid dealing with some form of personal data from the European market.
GDPR compliance a facet of today’s business environment
GDPR compliance can be complex, as well as costly and disruptive as organizations invest the time and resources needed to update systems and processes to the security level the regulations require. However, data protection is now an essential consideration for an effective regulatory compliance framework, particularly for those within the GDPR’s extensive reach. At a minimum, organizations should find themselves investing more in overall data security resources, such as additional staff or upgraded technology.
Although there will be an adjustment period after the GDPR goes into effect, EU regulators indicate they plan on actively enforcing GDPR compliance. Thus, avoiding substantial fines and sanctions requires that organizations be prepared to offer evidence of data protection processes and accountability, as well as transparency with the regulators.
Thomson Reuters Compliance Learning online GDPR training course offers organizations a quick and effective way to ensure their employees understand the GDPR’s new and wide-reaching requirements.