Now that the General Data Protection Regulation (GDPR) has become mandatory (effective 25 May 2018), what did your organization go through to satisfy the new law?
Are you now compliant and free to move on – no more worries? Or are you still struggling?
We all know -- since the 1970s -- data protection laws have been enacted to protect personal privacy, specifically by prohibiting the disclosure or misuse of information about businesses and private individuals. But as time progressed, data protection got more complex, challenging and difficult to enforce successfully. Serious breaches escalated, especially with advances in online technologies and data storage and its use (or misuse) via the internet.
In response, the European Union (EU) adopted the GDPR in 2016. It applies to private and public sector businesses -- including nonprofits or “not for profit” organizations -- located in the EU. And as well, most organizations outside the EU must now comply if they are doing business within the EU.
GDPR is viewed by many as the most intimidating regulation yet. The biggest worry is severe penalties imposed on businesses for failing to protect customer and organizational data. A data breach could result in a fine of €20 million (20 million Euros or in US dollars, $23,921.00 current estimate) or 4% of annual turnover, whichever is highest.1
One research report states: “2017 has been a tumultuous year for security breaches. The May 2017 global cyberattacks on many prominent organizations -- like the delivery juggernaut FedEx -- have been an urgent wake-up call to information management professionals. More than ever, businesses and enterprises must be vigilant to prevent becoming another statistic in the next major security breach.
“By 2020, it’s estimated the volume of data produced by humans and machines will grow by at least 50 percent. Machine-produced data is projected to grow 50 times faster than traditional data. The penalties for not meeting compliance standards and the increase in employee mobility also raise the question:
How can organizations protect themselves? Many articles provide helpful advice, two might be a good place to start.2
Myths about GDPR
It might also help to expose the myths – incorrect assumptions many have made -- such as these:
- The GDPR does not apply to businesses outside the European Union (EU). It only applies to companies in the EU. (We are not a European organization and do not have to worry about GDPR compliance – and no way can fines be imposed on us.)
- We have only 4 employees and therefore do not have to worry about GDPR compliance. Or… we have fewer than 250 employees so GDPR does not apply to us.
- All personal data is the same.
- GDPR does not apply to data collected. The personal data already contained in our database is not subject to the GDPR.
- It’s your CLOUD service provider’s job to make sure your data is compliant. (The data is stored by my CLOUD provider, so GDPR is their problem.)
- Every company has to appoint a Data Protection Officer.
- Fines are the biggest threat to your business.
- All security incidents must be reported within 72 hours.
- All data must be encrypted to be in compliance with the GDPR.
- We are a nonprofit organization and therefore are exempt from GDPR compliance. We do not undertake a profit-related activity.
- When relying on consent to process personal data, consent must be explicit.
- GDPR is all about encryption, pseudonymization and privacy enhancing tools.
OTHER COMPREHENSIVE REFERENCES
If you still need some basic explanations of GDPR, here are more helpful references:
- EUGDPR.org – GDPR key changes and how to prepare - This is an overview from the EU – very basic, thorough and helpful
- MarTech Today’s Guide to GDPR — The General Data Protection Regulation - This provides insight to US implications.
- What is the motivation behind data security? Information Age, March 7, 2017
- 5 Reasons your business needs the most secure data protection available, ARKIVE Information Management Incorporated, Atlanta GA, July 12, 2017. See also:
- How To Protect Your Business From A Data Breach: Seven Key Steps, by Forbes Finance Council March 8, 2018
- General Data Protection Regulation (GDPR) from EU
- Debunking the Myths of the GDPR (October 9, 2017), Panda mediacenter
- Debunking the Myths of the GDPR, Part 2 (November 17, 2017), Panda mediacenter
- GDPRubbish: seven common data protection myths debunked, BHConsulting, March 13, 2018