Much like Y2K, the long-awaited and much-feared GDPR compliance drop dead date of May 25th came and went without much ado. This left many of us, both in business and in the legal field, asking, “Now what?” As we await new guidance, precedent, and law informing how the EU’s Genera Data Protection Regulation will be enforced, one fact remains clear for our clients: now is as good a time as any to double down on compliance to ensure your company is GDPR ready.
Compliance Rates Recent reports found that 85% of firms and companies in both the EU and the US were not prepared to fully comply with GDPR by the May 25th deadline. The same reports estimated that 25% of EU and US companies will remain unable (or unwilling) to comply through the end of 2018. These reports come from surveys taken from 1,000 executives across eight countries, including the US.
What this tells us is that many businesses do not fully appreciate the two biggest reasons to become GDPR compliant: 1) to avoid the draconian penalties for violation of the GDPR, and 2) to gain an early competitive advantage.
Why Should You Comply? As noted in our earlier client alerts, GDPR penalties for noncompliance are clear and harsh. Companies can be fined up to 4% of the enterprise’s worldwide income, or up to 20 million euros for every individual infringement. You read that correctly – per infringement. While we do not yet have a historical record of enforcement and penalties to look to, we can only assume these harsh measures will be used as a tool to ensure wide-spread compliance.
In addition, few companies are realizing the competitive advantage offered by GDPR compliance. Rather than viewing the GDPR’s requirements as an unnecessary headache, companies should welcome the opportunity to beef up data protection and privacy practices in a business environment fraught with constant breach incidents and privacy mishaps. Boasting the most up-to-date and cutting-edge privacy and data practices can be a clear and strong differentiator in a marketplace full of consumers who are not only sick of having their data compromised, but who, studies show, are also willing to spend up to 24% more with companies they trust as secure. Also, in the process of becoming compliant with the requirements of the GDPR, companies will have built more robust infrastructures allowing for greater data-led business decisions – critical for any company hoping to succeed in today’s economy.
Can We Still Comply? Yes – and now is the time. The basic GDPR requirements are straightforward, and include the following:
- Parties Affected. The GDPR affects companies, whether or not located in the EU, that collect personal data about EU residents (Data Subjects), or that process information on behalf of such companies.
- Breach Notification. Generally, if possible, companies must disclose serious data breaches within 72 hours to applicable data protection authorities and potentially affected individuals.
- Deletion of Data. Companies must provide reasonable means for Data Subjects to request the deletion of their information. Companies also have to remove such personal data from other websites or files where the company stores or uses it when requested.
- Parental Consent. Parents must provide consent for companies to collect data about children under age 16. EU member states may lower the age requiring parental consent to 13.
- Data Protection Officer. Companies with 250 or more employees that control or manage certain types of data must appoint a data protection officer (DPO).
- Privacy Impact Assessments. Companies must perform privacy impact assessments for certain processing of high risk data.
- Limited Use of Data. Companies may use information only for the explicit purpose for which it was collected and to which the Data Subject specifically agreed. For example, a company cannot use data received from an online order for marketing research unless the company disclosed to the consumer it was going to do so.
- Recordkeeping. Companies have enhanced recordkeeping responsibilities relating to Data Subject approvals and requests for data modifications or deletions. Records must be available to EU enforcement authorities upon request.
As a start, follow the steps below to begin the compliance analysis in your organization:
- Analyze your current work flows to establish how and where data is stored (Data Mapping).
- Review your contracts with third-parties to determine how other parties’ processing of your data affects your company’s ability to comply with the GDPR.
- Develop policies for monitoring data security and procedures to contact users and appropriate EU officials in the event of a breach.
- Review and analyze all applicable policies and practices related to the handling of Data Subjects’ personal information to determine whether and how they must be modified to comply with the GDPR.
Conclusion Although no one is sure how GDPR enforcement will play out, we do know that many companies are taking unnecessary risks by avoiding compliance, and are missing out on business opportunities as a result. Particularly now, data and privacy protection initiatives must be high priorities for any organization looking to thrive in the modern marketplace.