What Is GDPR?
The EU General Data Protection Regulation (GDPR),—described as “the most important change in data privacy regulation in 20 years”—becomes enforceable by law on May 25, 2018. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Expected to comply are organizations located within the EU; that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing in the EU.
Notification Requirements under GDPR
Among the new expectations for companies under GDPR is accelerated notification timing to the supervisory authority and to affected data subjects—within 72 hours of first becoming aware of the breach. The chart below outlines these requirements:
Under GDPR, potential consequences for non-compliance with these notification requirements not only include hefty financial fines—up to €10 million or up to 2 percent of the total worldwide turnover of the preceding year—but also potentially significant impacts to brand reputation over the long term.
What Can Companies Do to Get Ready?
Gartner predicts only 50 percent of companies impacted by GDPR will be compliant by the end of 2018. So, what can organizations do to get ready?
Focus on Breach Prevention
- Identify, assess and amend existing technical and organizational security measures (GDPR Article 32)
- Review cyber insurance policies to ensure they sufficiently cover the costs of a data breach
- For third-party vendors/processors:
- Implement/amend existing due diligence procedures to cover data protection/security
- Check existing contractual terms and incorporate new mandatory GDPR requirements, including specification of the mandatory breach-reporting obligation and specific security measures
Review and Enhance Your Plans
- Review and update existing incident response and crisis communications plans to ensure they account for GDPR requirements
- Develop protocols and processes to meet the 72-hour notification requirement
Educate and Equip Employees
- Conduct Board training/education session
- Inform, train and educate employees about the new regulations and impacts on data handling and breach notification
Test and Train the Team
- Pressure test GDPR-related response protocols through a simulated exercise
- Incorporate participation from core incident response team members, leaders andIT/forensics firm, crisis communications partner, notification mailing, call center and credit monitoring)
- subject-matter experts from EU markets, and external partners (e.g., legal counsel,
- Identify gaps and update/enhance incident response plans to address