The General Data Protection Regulation (GDPR) is one of the most sweeping corporate regulations introduced in decades.
This law will affect every business worldwide that deals with the personal information of EU residents. The measure adopted by the European Commission is set to go into effect on May 25, 2018 with the purpose of standardizing rules for the collection, storage, use and protection of data across the European Union.
While the obvious risk of non-compliance is a hefty fine (in the case of GDPR will be 4% of worldwide turnover or €20 million – whichever is higher), the often overlooked risk is a sudden halt of your business operations by the Autoriteit Persoonsgegevens (Dutch Data Protection Authority – DPA). This was a topic of discussion on April 12 at a roundtable organized by Leaseweb about “What does GDPR mean for your business?” featuring speakers from NetApp, Acronis, Leaseweb, and GDPR expert Brenno de Winter.
A common misconception among small businesses is that the law only applies to large companies or that the enforcement by regulators may be lax towards small shops. However, according to Brenno de Winter, the Dutch DPA actually hired a task force to verify the compliance of small companies with GDPR. For example, if you are a business with three employees but handle thousands of files with personally identifiable data, in the scope of GDPR you are considered a large operation. Additionally, U.S. companies that deal with the data of EU residents also must comply. The Dutch DPA has the power to shut down business operations and upend entire business processes until compliance with GDPR is achieved. Such an action could potentially be more financially crippling than a fine.
Various actions can be taken by an organization to get GDPR ready by understanding the personally identifiable data it deals with and its exact use. Most of the data processing and data privacy legal principles were previously introduced and should have already been applied. Creating a register that specifies data types and the related processing activities is a new obligation and will contribute as proof of effort to comply with GDPR, in the event that regulators come knocking at the company door. Undoubtedly now is the time to show accountability and responsibility to adopt all existing and new measures and arrangements into your organization as required by GDPR. A further step entails the implementation of appropriate technical and organizational measures that ensure and demonstrate compliance. These can include internal data protection policies such as staff training and the self-auditing of processing activities to check progress towards GDPR compliance.
In a world where data is essentially an organization’s capital, and cyber-attacks are getting increasingly more sophisticated, privacy and security have never been more important. Regulatory activity will likely remain high and it is crucial that companies have control over their data. Moreover, the loss of data is a GDPR offense. “Data privacy is an outcome, based on the right decisions regarding the legal framework, policies, business processes and technology,” says Michiel Verbruggen of NetApp. While various vendor solutions can aid with data management and security, there is no “off the shelf” solution to get data privacy or GDPR-compliance, says Verbuggen. Each company should be its own architect of what happens to its data, even when using vendors to manage it.
When GDPR compliance is achieved, proper communication to customers is important. One way is to include it in a privacy statement on your website, or set up a FAQ section about your compliance efforts. Alternatively, a separate GDPR related processing agreement could be drafted and included in the terms and conditions. Regardless of the method, clear and open communication on this topic is necessary and should be prioritized.
There is no quick fix or one stop shop solution to comply with this comprehensive mandatory legislation. GDPR is ushering in a new era of data protection and regulation, and privacy by design should be the objective with data security measures built into business processes. According to Leaseweb General Counsel Jacqueline van de Werken, GDPR will be a major positive for international business, as the law will create uniformity of privacy regulation across the EU. Companies operating in multiple countries will need just one compliance program instead of multiple versions tailored specifically to each EU nation.
The days of not knowing what data a business has are over, and each affected entity should take the first step towards compliance as soon as possible in order to continue thriving as a company, and avoid the risk of financial penalty or a shutdown of operations.