On May 25, GDPR (General Data Protection Regulation) becomes law in the European Union. Which means it becomes law for you too, unless your organization has literally no customer personal data, transactions, or customers in the EU. The stakes are very high, and there's a lot of angst out there, especially among financial institutions and insurance corporations.
More than one in five senior executives say they have little or no idea how GDPR will impact their business, and only one-quarter think they will be fully prepared by 2018. What are the likely impacts on an organization that has customers, data, or transactions in the European Union?
We've been hearing some questionable information. Fortunately, we have a kickass security officer. Also, I read the GDPR website. So let's play a little GDPR myth versus reality.
Myth 1: We can improve as we go.
Reality: There is no grace period. Wait. Move to rephrase.
There is a two-year grace period, but it started in 2016 and ends on May 25, 2018. On that date, according to the official GDPR website, "The GDPR will become fully enforceable throughout the European Union."
Myth 2: We can afford a little fine.
Reality: The GDP directive is law, but it does not carry mandatory penalties. The new GDP regulation does have mandatory penalties, and they are serious. Minor infractions are defined as infractions that affect only one record. Probably very few if any such infractions will occur. A major infraction involves two or more records.
Minor infractions will incur 10 million Euros or 2% of the global gross product, whichever is greater. Major infractions will carry a fine of 20 million Euros or 4% of the global gross revenue, also whichever is greater.
Myth 3: I’m compliant with the current GDP directive, so I’m good.
Reality: GDP will not grandfather in companies that are out of compliance with the new, tougher regulations. If you were in compliance with the current version, congrats. But if you’re not in compliance with the version that becomes law in May, you are subject to penalties immediately.
Myth 4: We’re based in the US, so it doesn’t apply to us.
Reality: The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Myth 5: Our customers choose to work with us. That’s consent.
Reality: The conditions for consent have been strengthened, as companies will no longer be able to utilize long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose of data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt-in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
Myth 6: As long as we’re not hacked, we’ll be OK.
Reality: Even if none of your customers are exposed to danger, you can be subjected to up to the maximum fine for not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. You can be fined less for not having your records in order.
Myth 7: The fewer systems we use, the safer we'll be.
Reality: First, think of the pros and cons of a password storing service like LastPass or 1Password. They promise to keep your passwords safe, which is phenomenal. But if it is breached (and it has happened), it is a single point of failure to all your systems.
Second, you implement privacy control to enable good business. You work with the integration partners you trust for the same reason, so limiting products and services doesn't really make sense. Use a trusted source for connecting your tools, transferring data, and sharing information, and you're on your way to complying with GDPR.
Even the most barebones multinational corporation uses multiple systems. There are monitoring systems, single sign-on tools, issue management tools, marketing tools, customer record keeping systems, analytics, financial tools, and more. Sure, you could do it all with in-house tools, but who wants to deal with that kind of a maintenance nightmare?