Companies around the world have become more interested in the potential value of data and analytics in recent years. Because of this, here has been a corresponding growth in the amount of data captured, stored, and processed. This has led to increasing concern about how much personal data is being consumed and stored by organizations and worries about the potential mismanagement of that data. Frequent data breaches in the news or stories about the misuse of information, such as the recent Facebook issue, don’t help matters. Therefore, it should not come as a surprise that regulators have taken notice and have decided to enact data controls and protections.
Several existing compliance regulations already address how data is captured, handled, protected, and how breaches must be disclosed, such as HIPAA standards which relate to the privacy of health information. Still other rules cover different types of sensitive data, ranging from social security information to criminal records. These standards, their enforcement, and their penalties can – and do – vary from country to country.
In an attempt to strengthen privacy protections and to give individuals greater control over their personal information, the European Union (EU) developed a comprehensive privacy law: The General Data Protection Regulation (GDPR.) GDPR, which requires compliance by May 25, 2018, affects commercial and government organizations that collect, store, and process EU citizens’ data, regardless where the organization is based.
Key Elements of GDPR
Affected organizations should take GDPR seriously; the regulation includes massive fines for non-compliance and very tight disclosure requirements after a breach has occurred. However, rather than having a dampening effect on businesses, some people believe that when GDPR has been fully adopted and tuned, the regulations will allow EU organizations to better exploit and benefit from the data-centric economy of the future.
Some of the key elements of the new regulation include the following:
- Organizations face fines for infringements of up to 4% of the organization’s global annual turnover, or up to $25 million.
- After a breach involving the loss, theft, or illegal access of consumers’ personal data has occurred, required disclosures must be made within 72 hours; failing to adhere to this timeframe will subject the organization to penalties.
- GDPR includes a broadened definition of personal data, including things like IP addresses.
- The regulation also includes joint liability for organizations and their subcontractors.
- Organizations must comply with mandates for greater transparency over the data that is being kept and the manner in which data is processed; all work must be in compliance with GDPR mandates.
- GDPR includes a collection of eight consumer rights: 1) The Right to Be Informed; 2) The Right of Access; 3) The Right of Recertification; 4) The Right to Erasure; 5) The Right to Restrict Processing; 6) The Right to Data Portability; 7) The Right to Object; and 8) Rights of Automated Decision-Making and Profiling.
- Under the new regulation, consumers will have the right to bring class-action litigation against organizations that violate data privacy.
- Because of increasing concerns about the privacy of children’s information, GDPR also includes a framework to protect the data of children under the age of 17, including a requirement for organizations to get parental permission to collect their children’s personal information.
Taking a Practical, Methodical Approach to Compliance
As you can see, GDPR is complicated and will require thoughtful data governance and controls. Missteps, when they occur, will be costly.
With the compliance date looming, many organizations are still struggling to develop a workable program. The best strategy for compliance is to take a practical, methodical approach that encompasses three distinct phases:
- Assessment and discovery
- Building controls for continuous monitoring
- Transparent reporting
The best way to prepare for the regulation’s enactment is to begin developing a comprehensive, “living”, data governance program. Such a program should ensure compliance while also helping move your organization forward as a truly data-driven firm.
Is your organization prepared to meet the May 25, 2018 compliance date? Do you need help in preparing, or could you benefit from an assessment of your current preparations? Norwell Technology Group and Congruity360 can help. We’ll work with you to identify your top priorities and risks, and develop cost-effective solutions designed to help you comply with the exacting GDPR requirements. To learn more, contact Norwell Technology Group today online, or call us at (877) 277-9648.
Please join us this Wednesday at 11:00 AM EST for a live webinar on “How to navigate a growing data footprint!”. The webinar will not only provide you with valuable information on the key elements of data governance, but also provide you with a practical methodology to help you prepare for GDPR. Click here to get more information.