Data sharing across digital platforms is rising and so is the public concern for preserving data privacy. To address this issue, a more stringent regulation The General Data Protection Regulation (GDPR) replacing the existing Data Protection Directive, will be enforced from 25th May’ 2018 in the European Union.
A GDPR overview reveals the effectiveness of this new regulation in protecting the privacy of personal data shared by EU citizens in course of any transaction happening within the EU member countries.
Frequent cases of data leaks and pilferage are big threats to the citizens’ privacy. Now, businesses and organizations using personal data of EU citizens for business transactions must comply with the new GDPR irrespective of the geographical location. Failing to meet the compliance may result in severe penalization which may be 4% of the company’s total turnover.
Companies falling under GDPR compliance:
- Those with a presence in any EU state
- Companies beyond the EU borders but use personal data of EU citizens
- Those having 250 + employees
- Businesses with less than 250 employee count but whose data-processing activities handling sensitive personal data are likely to affect the privacy and freedom of data owners.
Private data falling under GDPR act cover basic identification information including his/her biometrics, race, ethnicity, sexual orientation, medical and genetic data, socio-political opinions and internet related information like IP address and geographical location. Stringent GDPR norms will make consumers more confident while sharing data in business transactions.
GDPR overview and its impact on business:
The harsh reality is many businesses are yet to get a complete GDPR overview and understand its implications. They are even not sure of GDPR compliance requirements and its impact on the business.
Many US companies have sprung into action amending their terms of service to comply with the updated GDPR. Even though 92% companies in the US take this as a top priority, they admit that reorientation to the new guidelines calls for major operational changes and additional investment.
A PwC survey reports that 68% of the US companies are expected to bear a staggering cost of $1- $10 million to fulfill GDPR compliance. Some 9% may have to shell out more than $10 million.
Every business that thrives on data collected from vendors, clients and customers is likely to face some sort of security breach when the data gets stolen or are accidentally exposed to wrong hands. Such security breach may cost the business heavily post GDPR enforcement.
Massive data-transfer occurs in medical tourism. With the new GDPR rules, stakeholders of medical tourism industry would have to amend their data management approach. Healthcare providers possess more sensitive data pertaining to medical issues and must have a higher standard of security in data protection.
However, General Data Protection Regulation does not mandatorily impose 100% foolproof data security measures. It expects sincere efforts from organizations to minimize the risk of security breach of personal data. Therefore, the business organizations need to check the GDPR overview and adopt carefully measured steps to plug in the loopholes of data security management.
Efforts in preventing data leakage and mitigating the risk of damage in the event of data security breach should be documented to avoid hefty penalties. Apart from paying heavy penalties, the fear of losing consumers’ trust also looms, which may be a double blow to any business organization.
Are businesses ready to embrace GDPR?
With a few days left for the GDPR to be enforced, many companies are struggling to meet the GDPR compliance requirements. The Capgemini research on GDPR overview suggests that 85% of companies in the UK and US will fail to meet the compliance deadline.
It is expected that British organizations would be ready for GDPR compliance but only 55% of them are found to be ready. What is even more surprising is that 15% of the UK companies do not take GDPR compliance as their topmost priority!
Spain, Germany and Netherlands closely follow the UK in terms of readiness GDPR compliance by the deadline. But, findings of the study also point out that 1 out of 4 firms will not be able to make it even by the end of 2018. The IBM survey of global 1500 business leaders reports that 31% of companies have updated their incident-response metrics within 3 days to comply with GDPR guidelines. [https://www.research-live.com]
Many companies have resorted to the simplest solution that is to go for ‘spring cleaning’. 70% of the companies are disposing the data before GDPR implementation and 80% of them are trying to reduce the massive volume of personal data. [https://www.barrons.com]
What are to be included in the GDPR compliance checklist?
With only few days to go for the deadline, you can opt for few quick strategies to establish a standard in GDPR compliance.
Educate your employees adequately:
The GDPR overview provides a clear recommendation to educate employees and associates about the guidelines and importance of its compliance. Personal data collected should be treated as an asset which should be protected in all forms. Employees should be aware of their role in data protection and get trained to adopt the necessary security measures.
Accurate data assessment:
What type of data your enterprise is collecting and processing? From where and how it is being collected? What is the purpose? This should be an important constituent in the GDPR compliance checklist.
Hire a Data Protection Officer:
The GDPR overview also reveals the important role of a Data Protection Officer. This is a high-level position and the person should be working independently ensuring data protection by smart implementation of policies across all levels of the organization.
Implement GDPR compliance policy:
Establish specific compliance policies and protocols restricting the access to personal data. Companies should set their consent standards and provide data-subjects the right to access their personal data, which may require deletion on request. Enable data-subjects to check the purpose for which the data has been used and how it was processed. They should also get an electronic copy of their personal data on request.
Check the data consent requests:
Go for a quick review of acquiring consents from data subjects regarding the use of personal data. GDPR has set a clear mandate of valid consent where data subjects have made an agreement related to the use of their personal data.
Ensure protection from security breaches:
To address the security breach arising from data pilferage or leaks, develop a suitable policy to detect intrusion and prompt incident response to mitigate the risk of damage. The incident should be documented and notified to data-subjects detailing the events of security breach with a clear mention of security vulnerability status.