GDPR compliance has been a hot topic since the announcement of General Data Protection Regulation (GDPR) by the EU in 2016. GDPR was introduced with a two-year implementation period which is coming to an end on May 25, 2018. The objective of the new legislation is to protect personal data of citizens within the EU and give them more control over how their data is used.
Unfortunately, many organizations have overlooked the new legislation and now find themselves panicking while trying to find a way to become GDPR compliant. Forrester Research found that 74% of European organizations believe that they still are not fully prepared for the arrival of GDPR. For these organizations, the time to start preparing is now.
Changes under GDPR
Consent for data
Organizations need to be able to prove that they have received consent for all of the data that they hold. In addition, it must be as easy for people to withdraw their consent as it was to give it.
Established access rights
Once personal data has been collected, it needs to be stored securely. GDPR states that only people who need to have access to data should be able to access data.
Organizations should only hold personal data for as long as they need to. Once the data no longer serves a purpose it should be deleted.
Right of access
Organizations must be able to provide people with information about their personal data including how, when, why and by who was their data collected and stored.
In the case of a breach, organizations are now required to send a notification within 72 hours.
What organizations are affected by GDPR?
GDPR affects any organization based within the EU or any foreign organization that possesses any personal data of EU residents. Personal data includes a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Which employees within these organizations are affected by GDPR?
Within organizations, GDPR applies to ‘Data Controllers and Processors.’
- A Data Controller is the individual or the organization who controls and is responsible for the keeping and use of personal information. Data Controllers need to comply with rules about how they collect and use personal information. For Data Controllers, GDPR enforces further obligations to ensure processors comply with GDPR.
- The Data Processor is the individual that processes information on behalf of a Data Controller. Data Processors can only process personal data that is shared on behalf of the controller. Processors are also required to maintain a record of personal data and processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they would have been under past legislation.
What are the possible penalties for companies that don’t comply?
Penalties for non-compliance with GDPR can be very costly for organizations. Hefty fines of €20 million (roughly $24.5 million,) or four percent of the company’s global revenue (whichever is more) can be landed on organizations who do not comply.
The Current State of GDPR Compliance
While organizations have had over one and a half years to prepare for the introduction of GDPR, many are still not fully prepared with the deadline fast approaching.
As of January 31, 2018, almost 30% of organizations globally believed that they were fully GDPR compliant. However, based their own qualitative research, Forrester believe that this only partially addresses the legislation. Only a portion of these organizations have gone further than the simple IT compliance requirements set in GDPR. Enza Iannopollo, an Analyst at Forrester, believes that “These approaches are short-sighted, and most likely will need radical revision after the enforcement of GDPR rules start in May.”
European organizations are the most pessimistic about their GDPR-readiness. In Europe, only 26% of firms believe that they are fully-GDPR compliant right now, where 22% of them expect to be GDPR-compliant within the next 12 months. In comparison, the region that believes they are the most prepared for the arrival of GDPR is Asia Pacific. In this region, 29% of organizations believe that they are fully prepared and 24% believe that they will be fully prepared in the next 12 months.
Approaches to GDPR and maturity vary greatly across different verticals. Forrester’s ‘The State of GDPR Readiness’ report found that financial services firms are the most GDPR mature. The report’s author, Enza Iannopollo believes that their prior experience of dealing with tough regulation matters gives organizations within this vertical an advantage:
“..firms in highly regulated verticals, such as financial services, have the luxury of relying on established compliance and data protection teams and often also on data protection officers — teams and individuals they put in place long before the EU finalized GDPR.”
If you’re looking to learn more about GDPR and how your organization can ensure GDPR compliance then download our latest GDPR Workflow White Paper. The white paper offers more insight into GDPR and the challenges that it brings to organizations. It will also provide you with actionable steps that you can take to ensure compliance as a finance department.