Less than 65 days. That is how long is left until GDPR comes into force. Is your company prepared? The likelihood that your company is unprepared is high, as three out of five companies state that they are not ready to implement the changes that the new data protection regulation requires. According to a recent study by Forrester, a large number of businesses are working on adapting to the regulation and 22% expect to be compliant with GDPR in 2018. However, this could be too late; the enforcement date of May 25th has been known for two years.
GDPR, what is it and why should I be worried?
At this point, it is unlikely that you haven’t heard of GDPR. If your company processes data on European Union citizens, then you should be concerned. But why? Because, regardless of where your business is located, you must comply with GDPR. Clearly many companies are not aware that this regulation has a global scope, so it doesn’t only pertain to European companies. In fact, 43% of IT professionals in the United States do not believe that GDPR will impact their business.
GDPR is the acronym for the General Data Protection Regulation. This regulation aims to protect European Union citizens’ personal data privacy and control how companies and institutions process, store and use this data. Therefore, it applies to any size company no matter where they are based that deal with this information.
GDPR provides individuals with enhanced right to control and access their data. Companies also have a greater responsibility to protect data. Among the main changes are the requirement to obtain explicit and active consent from an individual to process, store or use their data (informing the user is not enough, they must give approval). There is also the requirement to notify supervisory authorities of personal data breaches within 72 hours after a company becomes aware of the incident. Furthermore, GDPR includes new rights such as the right to be forgotten (allowing users to request that their personal data be deleted under certain circumstances: if consent is withdrawn, if it is no longer necessary for the purpose for which it was collected, etc. and the right to portability (giving users the right to request that organizations that store their personal data provide them with a copy of said data for transfer to another organization).
Despite the demands GDPR places on companies to strengthen personal data control, some companies, more dependent on personal data, such as companies in the communication or retail sector, are the least prepared to take on the regulation. Only 27% state they are completely compliant with GDPR, and many admit that they have begun to apply changes due to “pressure from their own clients”, according to Forrester.
Risks of not complying with GDPR
Violating GDPR has various consequences:
- Economic: The most talked about and the ones that worry companies the most: Authorities will have the ability to impose fines of up to 20 million euros or 4% of a company’s total global annual turnover. Obviously, these fines will be given based on various factors such as the nature, seriousness and length of the violation (for example, how many people were affected and what damage did it cause), if it is due to negligence, if there is a history of this type of behavior, etc.
The most severe fines will be given to companies that fail to comply with basic principles of processing personal data and that violate users’ rights or transfer personal data to third countries or international organizations that cannot ensure adequate protection.
In addition to these administrative fines, companies may face further financial repercussions from claims for compensation made by individuals whose personal data has been breached.
- Reputational: Failing to comply with GDPR could subject companies to public scrutiny. The greater degree of transparency required by the new regulation and the requirement to notify authorities of data breaches could bring more attention to your company; lest we forget the unfavorable opinion that customers will have knowing that their data is unprotected. The lack of trust and negative publicity should worry your company, even more so than fines do.
- Commercial: Not being able to show that your company is compliant with the regulation with can cause you to lose customers and present obstacles in reaching agreements with other companies. Customers are not willing to put their personal data at risk if there is a competitor that is in line with the privacy standards required by GDPR. This also influences business agreements: no company will want to be a partner and share its clients’ information with another company that may endanger said shared information.
In short, not complying with GDPR can cause your company to cease trading. The cost, not just economic, of disobeying this regulation is too high to ignore. That’s why we’ve decided to help your company become compliant with the new regulation, putting privacy and personal data protection as a priority. This microsite has all the information on GDPR, the challenges it entails and how Panda Data Control and Panda’s corporate solutions are helping thousands of companies to protect the data of their clients. Remember: there are less than 65 days left.
Thank you for your interesting article.
one question. Does the EU have a plan to determine if the company is in accordance with GDPR? For example, is there an LAB GDPR or do GDPR compliance auditors review organizations? Or just waiting for someone to file a complaint based on GDPR? I want to know when to take legal action against companies that violate GDPR?
Thank you for your interest. This situation is different in each country since each Member State appoints a Supervisory Authority, one or more independent public authorities to be responsible for monitoring the application of this Regulation. Each Member State will notify to the Commission about the provisions of its law that it adopts in accordance with Chapter 6 of GDPR (Independent supervisory authorities). Each supervisory authority will be competent to handle a complaint lodged with it or a possible infringement of this Regulation if the subject matter relates only to an establishment in its Member State, or substantially affects data subjects only in its Member State.
As referred to in article 58, each supervisory authority shall have all of the following investigative powers:
1. to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;
2. to carry out investigations in the form of data protection audits;
3. to carry out a review of certifications issued pursuant to Article 42;
4. to notify the controller or the processor of an alleged infringement of this Regulation;
5. to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
6. to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.