After several years of preparation, the European Union (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018 for companies that collect and maintain information about citizens of the EU. The law is designed to give individuals better control over how their personal data is used online. Whether or not a company does business with EU citizens, leaders should consider GDPR a catalyst for stronger data governance within their organizations, and an opportunity to implement a customer-first mentality. No one wants their personal information to be used in unsolicited ways. Companies that respect their customers’ wishes will gain the ultimate reward – their loyalty.
Here are some basics and frequently asked questions about GDPR:
What is GDPR?
In short, GDPR is a privacy law that focuses on baseline expectations for processing the personal information of EU citizens. It outlines restrictions on how companies can collect, use and store personal information. You can read the specifics of the law here: https://www.eugdpr.org/
What type of companies need to be concerned about GDPR?
Recognizing that data can travel well beyond the borders of the EU, GDPR provides protection to EU citizens no matter where their data travels or resides. As such, any company, anywhere, that maintains data on EU citizens, regardless of where they reside, is subject to GDPR. Organizations of all sizes that conduct business online are affected – from micro to multinational. No one is exempt. Ultimately, however, legal counsel needs to determine specific compliance requirements.
What departments need to be involved?
As GDPR centers on data collection and online privacy, it’s critical that companies coordinate their marketing, IT and cybersecurity efforts to eliminate any confusion about role responsibilities and work toward compliance.
What are the consequences of non-compliance?
In addition to a damaged reputation, non-compliance with GDPR could cost an organization up to 20 million euros, or four percent of the worldwide annual revenue of the prior financial year – whichever is higher. The exact amount is determined by how many provisions of the law are violated and to what degree.
What’s coming next?
In June 2018, California passed the California Consumer Privacy Act of 2018 (CCPA), changing the landscape of privacy laws in the US. The CCPA gives citizens the right to bring a civil action against companies that violate the law, and gives the state the right to bring charges against a company directly, levying a $7,500 fine for each alleged violation that isn’t addressed within 30 days. Other US states are planning similar laws. Asia-Pacific (APAC) countries are following the EU’s footsteps and framing data protection regulations modeled on GDPR, with Japan, South Korea and Hong Kong leading the charge. The broader Asia Pacific Economic Cooperation (APEC) region is looking to pass a regulation similar to GDPR before 2020.
How can Hartman help?
Hartman conducts an independent assessment of an organization’s current data governance risk profile to determine how it compares to the desired state of GDPR compliance. Then, Hartman works with leadership to develop a data policy strategy, gain buy-in from the board and senior management, and design a program to work toward any compliance requirements, including GDPR. Hartman coaches and guides the team on implementation of sustainable privacy processes, controls and risk mitigation policies, and provides ongoing monitoring and advice related to the new privacy-controlled environments.
Not sure where to get started with GDPR and data governance? Contact Hartman today to learn more about how we help organizations design and implement data security policies that incorporate GDPR.