GDPR comes into force on 25 May 2018, and many businesses are beginning to prepare for its introduction. The GDPR builds on familiar concepts and rules but in many ways it goes further. It has a wider scope, standards have been raised, and sanctions are much higher. The GDPR expands the territorial scope of EU data protection law as it applies to both organisations established in the EU and to non-EU established organisations that target or monitor EU residents. This means a greater number of organisations will now be subject to these new regulations.
With a greater level of harmonisation of laws across the EU, it should be easier for businesses that sell goods or services across the EU to take a unified approach in multiple EU states. However, the compliance burden is generally greater than currently in place, so many organisations will have to review and enhance their existing practices. In particular, the introduction of the accountability principle means that affected organisations will have to work on their internal compliance, including record keeping, and, for some, the appointment of a data protection officer. Such changes are important due to the introduction of significant penalties and fines for non-compliance. These sanctions can be up to the greater of 4% of annual revenue or €20 million.
While the actions needed to prepare for the implementation of the GDPR will be specific to your organisation and the sector in which it operates, your organisation should start by:
- Evaluating your organisation’s internal policies and measures to determine if they need to be updated in light of the GDPR. Compliance and accountability are key. Your organisation should prepare a standard privacy impact assessment process and may also need to appoint a designated Data Protection Officer. You should also develop policies for managing the data that flows through your supply chain with third parties.
- Considering what practical changes and upgrades are needed to your internal ICT systems and data management capabilities, including assessing what personal data your organisation holds on data subjects. All required changes will need to be implemented, tested and go live by 25 May 2018.
- Reviewing and amending the content and format of your organisation’s external facing privacy notices and e-marketing process to addresses both your additional obligations and the new rights granted to individuals arising under the GDPR.
- Evaluating your organisation’s current incident response plan and data breach management and reporting procedures for GDPR compliance.
- Offering appropriate GDPR training sessions for your employees who are involved in processing or management of personal data.