By: Brian DiPaolo, Director of Strategic Services
The May 25, 2018, enforcement deadline for the European Union (EU) General Data Protection Regulation (GDPR) has come and gone. If you’re not already compliant, it’s too late. If you’ve achieved compliance, congratulations! You’ve cleared the first hurdle. Now comes the heavy lifting.
The Consequences of Non-Compliance
GDPR has a two-tier fine structure: the greater of 2% of gross annual revenue or 10 million Euros up to 4% gross annual revenue or 20 million Euros. To date, the highest profile organizations that have received complaints are Google, Facebook, Instagram, and WhatsApp. There several ongoing investigations and the EU is working with the companies who have had complaints filed to build better processes and course correct moving forward. To date no actual fines have been assessed and the investigation process is estimated to take anywhere from 6 - 8 months to complete.
EU regulators will rely on international law to issue fines. For US companies, the EU country in which a company has a physical presence will levy fines for non-compliance. If there is no physical EU presence, the US Federal Trade Commission (FTC) will handle regulation enforcement.
In addition to steep fines, businesses operating in EU countries are facing the potential loss of their EU pipeline due to non-compliance as well as executive management accountability, the potential for data subjects to seek judicial redress, and brand damage.
It’s a Data Protection Program, Not a Project
GDPR affects the entire company, from the Board of Directors all the way down. The C-suite, especially, must understand the concepts and requirements and be able to demonstrate that GDPR is a consideration in all of their strategic business decisions. Essentially, for many companies, GDPR signals a cultural shift.
An organization-wide culture of data protection is crucial, and ISACA recommends a life cycle model to accomplish this. Such a model helps entrench data protection principles in every facet of the business, while providing the agility needed to respond to change.
The key to maintaining GDPR compliance, though, is appointing the right Data Protection Officer (DPO) or Lead to head the compliance effort. An effective DPO will educate the organization on its GDPR obligations, monitor compliance efforts and staff training, and oversee the Data Protection Impact Assessment (DPIA).
The DPO should have a level of experience with data protection programs commensurate with the complexity of the data processing activities of the organization, as well as expert knowledge of European data protection law and the GDPR. In addition, the DPO must operate independently of his or her employer, while reporting to executive management, and must be free of any conflicts of interest if charged with other organizational duties.
Lastly, the DPO is the face of an organization’s compliance efforts and is the point of contact for both data protection authorities and individuals submitting subject access requests.
Also vitally important is an appropriate governance structure, which should establish an accountability and responsibility framework to drive data protection processes and must be supported by executive management.
Maintenance is critical and may follow much the same path as your preparations for initial compliance. We’ve broken it down into a seven-step process to bring method to the madness:
Revisit the steps you took on your path to GDPR compliance, incorporate lessons learned, and build the following GDPR tips into the life cycle of your data protection program:
- Executive buy-in and corporate understanding are key.
- If you don’t know what you have, you can’t protect it or report on it.
- It is crucial to select the correct legal basis for processing.
- Data subject rights require close attention.
- Subcontractors must follow GDPR.
- Sound security practices are key to GDPR compliance. (Consider ISO 27001.)
- All personal data incidents must be logged within a 72-hour reporting window.
Businesses operating in the EU must now be able to demonstrate compliance with the GDPR. This includes being able to show not only that they have processes in place; companies to which the regulation applies must be able to show that they are following those processes, which can only be accomplished through historical data, log files, or audit data. Accountability is baked into the GDPR, and you must prepare to be able to demonstrate compliance.
Being prepared means doing the heavy lifting of assessment and documentation now. Third-party GDPR-related services, including DPO staff augmentation as well as gap and risk assessments, data mapping and inventory, and identification and documentation of data protection processes, are essential to maintaining compliance. Data protection is a program, not just a project. It must be nurtured, supported, tested, and continuously improved.
To learn more, visit https://accudatasystems.com/solutions-overview/eu-general-data-protection-regulation/.
General Data Protection Regulation Webinars