Are You Prepared for GDPR?
The EU’s General Data Protection Regulation (GDPR) is a topic of growing relevance, not just to its own organizations, but worldwide. Any company that does business in Europe will be affected by the new standards.
And yet, preparation for next year’s compliance deadline appears to be an exercise in procrastination. Research from two UK firms—GDPR job board Careers in CyberSecurity, and London law firm Hamlins LLP—demonstrates that 73% of UK businesses haven’t properly budgeted for the implementation of the new rules. More than half had not chosen the required Data Protection Officer (DPO), and a third of the hundreds of thousands of respondents said they had no plans or even sufficient knowledge about the changes.
The reasons behind this deficiency of action are manifold. Some claim financial lack, others want to avoid operational red-tape or, foolishly, don’t consider the subject a big enough risk. A small percentage even assumed Brexit would exempt them from GDPR. To reiterate, however, this is irrelevant. If you do business in Europe, it does not matter if you are part of Europe, the law applies to you. In their current complacency, these organizations leave themselves vulnerable to serious fines (up to 4% of annual turnover). “Those who leave it to chance and don’t prepare now, could be left high and dry if the Information Commissioners Office find businesses breach regulations,” states Matthew Pryke, a partner at Hamlins.
Indeed, the conditions of GDPR seem substantially more consumer-friendly than other regulations. For one thing, companies must obtain explicit consent both to process personal data and share it with a third party. By ‘explicit’, it means that silence or inactivity do not fit the criteria. DPO appointment, again, is another requirement for certain organizations, including all public authorities and entities where the data processing is a core, large scale activity. Shared responsibility among providers is also emphasized: any outsourced service or third party contractor handling sensitive information is equally culpable for protecting it. There must be competent security across the board, at any access point a hacker could enter. Cooperation must exist between DPOs and IT Directors, too, as they should incorporate data protection in the organization’s overall security policy.
These are but a few of GDPR’s tenets. Others are pretty standard, such as requiring proper notification procedures in the event of a breach. Come May, 2018, all these will be strictly enforced. Despite any turmoil or fractures going on, this step will aim to standardize data security throughout the EU, as well as increase organizational proficiency and responsibility in the face of advancing technologies.