This data protection regulation extends the scope of the law to all companies, even foreign companies, who are processing data of EU citizens and residents. The net effect will be to strengthen the rights of EU citizens and residents over their personal data and shift the responsibility of how data is collected, held and processed from the individual to the organisation.
The regulation has real teeth with severe penalties, in some instances up to 4% of worldwide turnover. The regulation comes into effect on 25 May 2018, so the clock is ticking. You now have only a year to put systems in place to ensure your initial compliance with the regulation and your continued compliance into the future.
There are three principal areas you will need to address to become compliant with the legislation:
- Governance: your data protection and privacy policies need to be set out in a formal document and available on your websites, at data collection points and communicated to all your employees.
- Training: your employees need to be aware of how the GDPR affects their job responsibilities and how they can use the personal data of customers, suppliers and employees.
- Compliance: you need to take steps to ensure compliance in the areas of direct marketing, human resources, IT systems and security.
Once compliant, there are ongoing regulatory responsibilities to ensure that personal data that you store or process will be:
- Accurate and kept up to date
- Processed lawfully, fairly and transparently
- Limited to the information that is necessary to the organisation
- Collected for a specific purpose
- Processed in a way that ensures security from breach, damage and loss
- Stored only for as long as appropriate
Compliance is not a once-off, but an ongoing, exercise. Carve out the time now and do the groundwork needed to create and implement systems that will last your organisation into the future and secure its regulation compliance as it grows.
While some companies will be appointing a data protection officer to help with the process, others will use a consultant or an external service provider that will assist in managing the process to becoming compliant.
One such provider is GDPR365.
Image credit: www.welivesecurity.com