GDPR regulations for Europe go into effect very soon, but is your organization ready for the rigor required by these standards?
Recent cyber attacks have technology leaders throughout the world reviewing their security requirements, but the European Union is already a step ahead. Their upcoming GDPR, or General Data Protection Requirement, defines data security and risk requirements for organizations doing business in the EU. Businesses with customer interactions in the EU are scrambling to ensure that they meet or exceed the stringent data protection requirements before the Spring 2018 deadline for compliance, especially since non-compliance brings stiff fines and penalties to your business. The GDPR seeks to hand control of their data back to individuals, requiring organizations to be more proactive in proving that they have total control over the consumer data in their safekeeping. Understanding the key GDPR compliance requirements for your business is a critical step to continuing to do business in Europe, but business owners may be confused about which regulations apply in their specific instance.
More About GDPR
In April 2016, the European Parliament made a landmark decision that will have a far-reaching impact on how organizations store and manage customer data throughout the world. The GDPR (General Data Protection Regulation) regulates how companies protect the personal data of European citizens. Lack of compliance by Spring 2018 can have a serious impact on your bottom line, with stiff fines and penalties imposed by the EU. The regulation aims to provide a more uniform and consistent approach to the storage and security of data across nations in the European Union through required consent, data breach notifications, anonymization of data, safe data transfers and additional regulatory agencies. Since the regulation targets all organizations that do business in the European Union and includes a variety of requirements including the hiring of a specific data protection officer who is expected to be fully independent both of upper management and IT.
Steep Non-Compliance Penalties
While organizations in the U.S. are used to the potential of opting out of specific legal requirements, the GDPR guidelines are required or a business faces the consequences of their actions. The fines are significant — up to 4 percent of a company’s global annual turnover or up to 20 million Euros. The recent malware attacks on large organizations have left whole industries feeling vulnerable to attack, making it even more important that the GDPR requirements be followed precisely. With a recent cybersecurity report from Cisco, average organizations today are facing tens of thousands of security events each week, with large and vicious attacks potentially reaching around the world in only a few hours. There are a variety of activities that could be considered non-compliant, including breaches of the data protection principles, customer or employee rights, conditions for consent and even international data transfers.
Penalties can be imposed by data protection authorities, who have the power to physically obtain access to your company’s premises to carry out audits. Organizations of all sizes will be required to provide information upon request. Part of what the audits are looking for is a clear trail of freely-given consent, such as a written statement from an individual stating their agreement to the processing of their personal information. Individuals are able to easily withdraw their consent, and the burden of proof rests with the organization to prove that consent has been provided. This more aggressive approach to customer data is likely to cause challenges for businesses in the U.S. that are used to relatively freewheeling marketing practices.
Data Breach Response
There are expanded rules around the reporting of data breaches, requiring that all incursions be reported within a maximum of 72 hours. Employees must be trained in responding to a serious data breach, with the designation of specific responsibilities and roles within the organization. Fortunately, GDPR allows encryption as an appropriate way to achieve the goal of compliance. This relatively inexpensive option is very powerful and widely available and may allow your organization to skip notification to data subjects if it is determined that the personal data is unintelligible. Having clear policies and tested procedures in place is critical to ensuring that your organization can quickly react in the event of a data breach.
Part of ensuring that you have full compliance from all individuals with the data your organization gathers is to tightly document approvals. Personal information that is shared across international lines is subject to additional audits. With the updated ruleset, organizations carry the entire burden of proving how personal data is processed and stored, and that it is documented as being fully compliant with GDPR requirements. Since consent can be quickly and easily withdrawn, organizations are looking for ways to ensure a clear path to legitimizing processing activity. One portion of these regulations that organizations will not be pleased with is the absolute right to prevent direct marketing. Businesses have long relied on direct marketing to communicate directly to individuals with only a passing familiarity with the business, but these more stringent rules require that individuals who have opted-out of marketing be aggressively added to an in-house suppression list or risk non-compliance fines.
While the stringent new regulations may seem overwhelming to a business, there are some definite benefits to this direction. The EU has effectively consolidated the processing rules of each member-nation to form one set of standards, reducing variation. Additionally, having only one organization in charge of audits and compliance with the NDPA is considered to be a positive move. On the negative side, businesses are picking up more responsibility and may need to invest in organizational and technical measures that may require the redesign of systems and processes — and will almost certainly require additional staff to assure full compliance with requirements.
Understanding the new GDPR compliance requirements for your business can be challenging. Fortunately, at Kraft Technology Group in Nashville, we have been studying the effects of these new regulations. We stand ready to help with execution — contact us today via email to firstname.lastname@example.org, or call (615) 600-4411.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.