Gosh Darn Privacy Regulations (GDPR): Doomsday Deadline Fast Approaching
The clock is quickly ticking down. We’re now less than two months away from the day the General Data Protection Regulation (GDPR) takes effect (GDPR becomes enforceable on May 25, 2018). As we’ve described in previous blog posts, the GDPR is a new regulation designed to protect the privacy and personal data of European Union (EU) citizens. The law was passed by the European Union Parliament, but it’s set to have a big impact on American businesses. There’s a reason the GDPR is being called “the most important change in data privacy regulation in 20 years.” It’s a radical overhaul of cyber regulations. And if your organization is not prepared to comply, it could cost your company a pretty penny.
Why American Companies Need to Care About GDPR
So you might be asking yourself, “The GDPR is a European regulation. My business is based in the United States. How is this going to impact my company?” Unlike many regulations, the GDPR transcends borders.
GDPR sets strict rules for how companies collect and store all kinds of customer data. Types of data covered by GDPR include: identity information, such as names and addresses; web data such as location, IP addresses, and cookies; health data; racial or ethnic data; and political opinions. If your organization is dealing with this kind of data—and collecting information on EU citizens — then your company is required to comply with GDPR.
The High Cost of Non-Compliance
Simply put, the penalties for noncompliance with GDPR are astronomical. Businesses found in violation of this regulation can be fined up to €20 million or 4 percent of global revenues, whichever is higher. These kinds of huge fines have the power to put some smaller companies completely out of business.
It remains somewhat of a mystery as to how the GDPR will play out in practice. Each of the 28 European members states will handle enforcement separately. That means that a country such as Spain could implement GDPR in a completely different way from France — making compliance with GDPR very complicated for companies.
How aggressive will regulators enforce GDPR? And which organizations are most likely to be targeted? It’s still too early to say for sure. But there are signs that all companies, from mom and pop shops to Fortune 500 companies, could catch the attention of regulators. For instance, Germany has started an investigation into 500 U.S. based businesses with operations in their country. These range from SMB’s to big businesses. In short, no company is completely safe, so as a director or executive it’s your responsibility to make sure your company complies with this regulation.
Taking Action: Top 3 To-Do’s
You’ve had two years to get your organization prepared for GDPR. You now only have less than two months until the law takes effect. Nevertheless, if you act now, there’s still time to get ready for this regulatory day of reckoning.
Here are three actions things to put at the top of your to-do list:
- Get expert consultation. Ensuring that your organization complies with the new law can be a gargantuan task. Bringing in a GDPR compliance expert will help you streamline the process and focus on the most important tasks. Remember, if you haven’t started preparing for GDPR up until now, then there’s a lot that needs to be done. A GDPR expert will serve as your point guard and will help your team move down the court.
- Assemble a tiger team and move with intent. Given the far-reaching aspects of GDPR, this is not something that can simply be pinned-down on one person. You’re going to need to form a team who can work across the organization to drive action. At a minimum, your team should have leadership representation from the C-suite, information security, the general counsel, auditing, marketing, sales, and human resources. And, with only seven weeks until implementation, you need to provide your tiger team with the necessary freedom to execute the tasks at hand.
- Drive cyber resilience beyond compliance. Because GDPR mandates that you take necessary action to account for and protect certain data and systems, use GDPR’s requirements as an opportunity to get the rest of your house in order. Evaluate and measure your cyber risk, review and update cybersecurity-related policies and procedures, prioritize cybersecurity awareness and cyber risk training initiatives, and run scenario-based exercises to test your response plans.
Want to learn more?
If you would like help implementing your GDPR compliance plan, contact us. Let’s discuss how we can help reduce your company’s regulatory risk, today.