Never heard of it you say.
Well, if your organisation is in the European Union or processes the personal data of EU individuals—customers, employers or business associates, then not only does the GDPR concern you, you are at risk of severe financial and reputational penalties for non-compliance.
In fact, with less than eight months to the full enactment of the General Data Protection Regulation (GDPR), enterprise leaders should be implementing new policies and procedures for the new laws.
The GDPR which commences in May 2018 imposes responsibilities on data processors that provide goods and services, standardising and boosting data security across the EU region.
Here’s a primer on how data controllers can prepare for compliance.
What is Personal Data?
The Data Protection Act (DPA) defined personal data as data relating to a living person identified either from the data or from information in conjunction with other data that is in or is likely to come into the possession of a data controller.
Under The GDPR, personal data has a broader definition, with it defined as data relating directly or indirectly to an identifiable person by reference to an identifier such as a name, an ID, online data, or by physical factors like location, physiological, cultural and social features.
Although the DPA and GDPR share similarities in definition, the GDPR is more comprehensive, encompassing a broader scope of personal data under its protection.
For companies not sure what may be classified as personal data in their dealings with end users, extra caution in collecting and securing as little data as possible, and not storing any information longer than necessary is a quick start to GDPR compliance.
Most Companies are Unaware and Unprepared for GDPR
Despite the vastly increased level of fines companies will face for GDPR noncompliance, a lot of companies in the EU are unaware of an impending act such as the GDPR.
The main surprise to small businesses may be fines of up to 4% of their annual turnover or a whooping €20m for noncompliance.
A recent survey carried out by Vanson Bourne of over 500 IT decision makers in companies with more than 1000 employees revealed that 75% agreed they face serious challenges in being compliant with the GDPR.
A general lack of awareness was blamed for companies’ unpreparedness.
However, with less than eight months to the proper implementation of the GDPR, now is the time to act.
Interpreting the GDPR Requirements and Guidelines
Although there is a growing awareness of the GDPR among company executives, many are still in the dark regarding its scope and breadth, seeing it as just an augmentation of current data regulations.
While there are areas of the GDPR that are the same as existing laws like the 1998 Data Protection Act (DPA), it is essential organisations differentiate the GDPR’s new framework and requirements in the EU as regards data protection.
For organisations processing volumes of end user data, constant communication with their national Supervisory Authority concerning the interpretation of GDPR laws will fast-track compliance.
What Do I need to Do to Prepare?
There’s quite a lot you should do to prepare for the GDPR, educating yourself for full compliance is crucial.
However, as the countdown to GDPR implementation shrinks, with most businesses unprepared, it is important you define the scope of your preparedness from a business perspective to determine what should be ready before the official kick-off in May 2018.
Organisations need to identify which aspects of the regulation are critical to compliance, understanding the legal requirements and the ensuing risks in involved.
Therefore, an in-house interpretation of the GDPR requirements to uncover any existing gaps and the immediate measures to rectify them should be a top priority.
Data security has always been important. However, it’s become sacrosanct. Take our FREE GDPR awareness questionnaire to get your business on track to meet the requirements for next year’s implementation date.
Want to read more on this subject? See other articles on GDPR and Data Protection: