6 Reasons To Act Now And Get GDPR Ready
There are lots of excellent articles and guides out there to steer you towards GDPR compliance. Needless to say they are detailed and lengthy but the below 6 reasons can help get you up to speed in a matter of minutes:
- Unlike the previous EU Directive on data privacy, the new GDPR is an EU Regulation. This means it becomes immediately effective on 25th May 2018 after a two-year transition period and, unlike a Directive, it does not require any enabling legislation to be passed by national governments.
- The penalties for non-compliance are significant. Fines can be imposed up to 20m Euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83, Paragraph 5 & 6).
- Customer consent must be explicit. Valid consent must be explicit for data collected and the purposes data is used for (Article 7; defined in Article 4). In addition, data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.
- The old escape clauses for non-European companies no longer work. Non-European companies utilised “Safe Harbor” provisions to comply with the original data protection regulation. In July 2000, the European Commission (EC) decided that US companies complying with the principles and registering that they met EU requirements could transfer data from the EU to the US. But the international Safe Harbour Privacy Principles were overturned on October 24, 2015 by the European Court of Justice after a customer complained that his Facebook data was insufficiently protected.
- Managing unstructured information and documents are key to compliance. According to the European Commission, “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life.” The Commission notes, “It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” Companies must be able to identify any place or document containing personally identifiable information (PII) and be able provide an index of that PII data to the customer if requested – an impossible requirement without a content management system.
- Extended chains of liability. If PII is being stored or handled by a cloud services provider or a document process outsourcer on your behalf, you retain responsibility for the data governance practices of your outsourcers.