Approximately half way through the two-year implementation period before the General Data Protection Regulation (GDPR) takes effect on May 25, 2018, an NTT Security report took stock of how prepared companies are for compliance. Interviews with 1,350 decision makers in businesses around the world revealed that many know very little about the GDPR and whether or how it will affect them.
The GDPR represents a significant change in the EU’s data privacy regulation. It will apply directly and immediately in all EU states — without the need for implementing national legislation — requiring that organizations be able to justify their reasons for holding or processing every piece of data in their possession. They also must make it clear to subjects what they will be using the data for at the time it is collected and prove they have adequate measures in place to protect it. Furthermore, one of the biggest concerns for organizations is the law’s provision for massive fines for non-compliance.
Organizations not yet fully cognizant of GDPR’s potential impact
Despite the GDPR’s compliance challenges and potential fines, half of European companies surveyed were seemingly unaware of the regulation’s implications. Switzerland has the highest percentage of GDPR-ready companies in Europe (58%), followed by Germany and Austria (both at 53%). Despite the UK’s confirmation that Brexit will have no effect on the government’s plan to implement the GDPR, the UK came in with the lowest awareness level, with only 39% of UK companies identifying the law as a compliance concern. Outside the EU, many mistakenly perceive the GDPR as only — or most likely to be — applicable to EU companies. Awareness levels are lowest in the U.S., where only a quarter of respondents believed the GDPR will affect their organization, followed by Australia (26%), Hong Kong (29%) and Singapore (33%).
Long jurisdictional reach extends to organizations worldwide
With such low levels of awareness being reported, some organizations seemingly fail to realize that the GDPR’s extended jurisdiction represents one of the most drastic changes in Europe’s data privacy regulation. With the goal of protecting all EU citizens from data and privacy breaches, it attaches to any data concerning an individual residing or present in the EU. Thus, if data is connected to an individual in the EU, the GDPR applies — regardless of where such data is processed.
Data subjects gain more control over data
Organizations should not expect GDPR compliance to be simple given the wide range of requirements designed to heighten protection of personal data and privacy. The GDPR grants data subjects significant control over their data, including the right to access, transfer and delete personal data, as well as receive notification within 72 hours of certain data breaches.
More stringent regulatory requirements for organizations
In addition to these rights, the law imposes considerable obligations on organizations, including the requirement to —
- Show exactly how and when they obtained consent;
- Make it as easy to withdraw consent to future use of data ;
- Appoint a Data Protection Officer, responsible for supervising data privacy and protection within the organization;
- Identify the scope of data relevant to the GDPR and adopt data protection systems tailored to the organization’s specific data practices and business operations; and
- Document their compliance measures.
Enormous fines one of GDPR’s defining features
Previously, the biggest risk concerning a data breach was lost revenue and reputational damage. The GDPR goes beyond relying on potential consequences and provides for steep penalties as a deterrent to violations. While lower-level offenses — record-keeping, security, breach notification, and privacy impact assessment obligations — can result in penalties up to the greater of EUR 10 million or 2% of the entity’s global gross revenue, those figures go up to EUR 20 million and 4% for more substantive violations, i.e., legal justification for processing, data subject rights and cross-border data transfers.
Mitigating risk of violations requires preparation and training
The jurisdictional reach and numerous requirements the GDPR presents should have organizations all over the world concerned with compliance. In today’s digital and global economy, the GDPR substantially increases the risk of unwitting regulatory violations – a risk employers can mitigate by training employees on data protection safeguards and relevant legal requirements. Thomson Reuters online Data Privacy and Security training course is an easy and effective way to ensure employees understand data protection and how to detect, prevent and address potential threats.