The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The GDPR replaced the 1995 EU Data Protection Directive. It strengthened EU data protection rules by giving individuals more control over their personal data, and establishing new rights for individuals. Organisations that process the personal data of EU citizens must comply with the GDPR. This includes organisations outside the EU that offer goods or services to EU citizens. Non-compliance with the GDPR can result in fines of up to 4% of a company’s global annual revenue or €20 million (whichever is the highest). To comply with the GDPR, organisations must take steps to protect the personal data of EU citizens from unauthorized access, use, disclosure, and destruction. They must also ensure that individuals have the right to information about their personal data, the right to change their mind about consenting to its processing, and the right to have their personal data erased. Organisations that process personal data must disclose their contact information to individuals so that they can exercise their rights under the GDPR. They must also appoint a Data Protection Officer (DPO), if required by law.
General Data Protection Regulation (GDPR) Compliance Post-May 28th 2018
Prefer to listen?
If you prefer to listen to, instead of reading the text on this page, all you need to do is to put your device sound on, hit the play button on the left, sit back, relax and leave everything else to us.
The General Data Protection Regulation (GDPR), which has come into effect on May 25 2018, has, on several occasions and within several avenues, been touted as the most significant change to data protection law in the EU and globally in recent years.
Really and truly, the GDPR makes no fundamental change in any of the principal rules in the 1995 Data Protection Directive. However, it has extended the Directive’s requirements significantly by introducing a range of new obligations in support of the 1995 principal rules. The most fundamental of these changes are the levels of the fines, which can now go up to 4% of worldwide turnover or 20 million Euros, whichever is the higher.
Several organisations have spent tens of thousands of Euros to achieve compliance (some even hundreds of thousands of Euros and millions), so the run-up to GDPR compliance has been quite costly, especially for organisations working in the digital space. Wide-scale enforcement has not yet been seen and an estimated 70% of European businesses remain non-compliant, having adopted a wait-and-see approach. Several Government entities and agencies across the European Economic Area remain non-compliant themselves.
Will The Wait-And-See Approach Pay Off?
Given the high cost of compliance and the even-higher cost of being discovered to be non-compliant, much will depend on enforcement in 2019. At this juncture (this article is being written in August 2018), there seems to have been a tacit acquiescence from national supervisory authorities that they will not start taking any active steps towards enforcement themselves before 2019 unless they have received complaints and are therefore compelled to act in order not to be found guilty themselves.
A wait-and-see approach is risky, but it might pay off if the Regulation is never enforced rigorously and those who are adopting this approach never find themselves in hot waters because of a complaint or a data breach that can be traced to them.
Those adopting a wait-and-see approach need to make sure that if wide-scale enforcement had to kick-off, they would be able to have an action plan that they can implement to become compliant within the shortest period of time possible. Thus far, we have seen implementation periods ranging from 5 months to 2 years, and becoming compliant quickly might have an operational impact on the other areas of the business as resources are diverted towards compliance and might also not be enough to keep any applicable fines at bay in case of wide-ranging enforcement.
Moreover, it is clear that non-compliance risks will be increasing over time. As more firms become compliant, they are required to ask other firms with which they work to confirm that they are GDPR compliant and to include clauses in their agreements with them to that effect. Declaring that an organisation is compliant when in actual fact it is not, might make the non-compliant organisation liable to further damages than that which is allowed for under GDPR.
What Does Compliance Entail?
Achieving GDPR compliance is a complex, multi-stage job. It entails:
- taking an assessment of current data sources, procedures and data flows, the assessment of the compliance gap;
- the institution of processes, procedures and policies, as well as systems to ensure that the obligations of the Regulation are respected;
- having the right procedures and systems in place to avoid data breaches and to act in the proper way on those occasions where breaches cannot be avoided;
- providing training to staff;
- periodically reviewing processes, procedures, policies and systems to ensure continued compliance.
What Sort Of Help Is Available To Ensure GDPR Compliance?
Considerable literature has developed around GDPR, even though in certain aspects, the Regulation is ambiguous and only case law will help settle it. Accordingly, depending on the size of the organisation and the sort of data that it deals with, it might be necessary or desirable to have a Data Protection Officer (DPO), a Data Protection Representative or a Compliance Officer dealing with GDPR issues. Specialized external consultants are also available to help an organisation with the specific GDPR compliance issues that it requires. Some GDPR consultants also offer template packages that may provide a compliance framework.
