March 16th marks ten weeks left before the May 25 deadline for the European Union’s (EU) General Data Protection Regulation (GDPR). GDPR unites all of Europe with one data protection law, replacing the prior European Commission’s Data Protection Directive and the UK’s Data Protection Act of 1988. Ian Singer, the lead IT Assurance Partner for UK CPA firm PKF Littlejohn, explained, “Most of the data protection laws are 20 years old. Clearly the world has changed radically in that time, particularly with digital marketing.”
Much like the recent update to the U.S. tax law, GDPR is a lengthy law with a great deal of grey area left to interpretation. One item that is crystal clear is the enormous penalties outlined in the law, which range up to 20 million Euros or 4% of annual global revenue. Another clear aspect of the law is that it applies to any company that captures or manages data regarding citizens of the EU, regardless of where the company is based.
The core concept of GDPR is individual rights. The law gives citizens of the EU greater control and ownership of personal data that businesses capture, and outlines the rights of the citizen pertaining to that data. These individual rights include:
- The right to be informed –Ensures consumer data isn’t collected without the individual being notified
- The right of access – Provides citizens with previously unwarranted access to personal data collected by an organization
- The right to rectification – Allows users to correct misinformation if noticed in collected data as part of the “right of access”
- The right to erasure – Also known as the “right to be forgotten,” giving citizens the ability to terminate a business relationship and all associated records under pressing circumstances.
- The right to restrict processing – Should individuals wish to pause a business relationship rather than take the “erasure” route, they can halt personal data collection and analysis
- The right to data portability – Transfers all data ownership to the individual, meaning businesses cannot hold data “hostage” and restrict data from being viewed by other organizations (competitors, for instance) should the individual wish for it to be shared.
Many U.S. companies have been caught in an extreme time crunch attempting to comply with this law’s requirements by May 2018. If you haven’t performed your due diligence yet, how do you begin?
Frazier & Deeter’s Process, Risk & Governance Partner Gina Gondron suggests, “Look at what you are already doing to protect consumer data. It’s an overwhelming law and standard to some, but when you peel back the layers, the purpose is how you are handling the data of your customers. It’s not something that should be that foreign.”
Gondron also notes that organizations with SOC reports (System and Organization Controls Report) have an excellent starting point to use as the basis for their GDPR compliance.
In order to demonstrate compliance, consider these steps:
- Get an outside expert to help you review and map your existing data management controls
- Identify gaps, especially in the area of the right to be forgotten
- Identify a Data Protection Officer
- Review data breach notification procedures, or develop them if not already in place
- Develop employee training materials specific to managing customer data
Given the lack of guidance and any sort of certification, organizations that may be challenged under the new law need to be able to demonstrate an attempt to comply.
As Singer puts it, organizations should be ready to “show you have a process you are following, and that you are taking a serious view of this. You should be having good conversations, with the right people, including your Data Protection Officer. At the heart of those conversations you must have the rights of the individual, not the company.” The concept of privacy by design, rather than as an afterthought, is the goal.
Have questions about your status and how to proceed with this rapidly approaching compliance deadline? Listen to our webcast, or talk to one of our data protection advisors.