The GDPR: Are your compliance officers ready?

They say knowledge is power, and data is helping many organisations derive the insights they need to gain a crucial competitive edge over rivals. However, with great power comes great responsibility, and companies must remain compliant with data-handling laws to avoid financial and reputational damage.

 

As businesses expand globally, transferring data across international boundaries becomes more common. This can create problems when countries have different regulations and processing legislation, which is why the EU last month adopted the General Data Protection Regulation (GDPR).

 

The GDPR replaces the existing EU Directive 95/46/EC and individual national laws, such as the UK’s Data Protection Act. Essentially, the regulation harmonises the disparate pieces of legislation currently in place across member states. While it was officially adopted in April, the GDPR isn’t likely to come into force until 2018.

 

This gives compliance officers approximately two years to ensure their operations are ready to follow the new guidelines. But what changes are set to come? And how prepared are businesses to comply?

New data laws

The GDPR will introduce a number of obligations on organisations, some of which could prove costly if breached. Let’s look at some of the key changes businesses face.

 

Fines: Violating the regulation comes with a hefty price tag. In fact, national data authorities (NDAs) can penalise businesses up to four per cent of their total worldwide annual revenues or €20 million, whichever is higher. Lesser breaches incur a two per cent or €10 million fine.

 

Breach notifications: Businesses must inform authorities of any data breaches they experience within 72 hours of discovery. Furthermore, they will need to contact any individuals whose rights or freedoms are at a high risk due to the breach.

 

Tighter consent conditions: Organisations need to obtain clear, unambiguous and freely given consent from people in order to process their personal data. Consent can also be withdrawn at any stage.

 

Accountability: Data controllers have to demonstrate GDPR compliance by maintaining comprehensive documentation and carrying out data protection impact assessments. They must also follow data minimisation guidelines.

Are businesses ready?

Despite the potentially significant fines attached to violating the GDPR, some businesses remain unaware of their responsibilities under the regulation. A study from Trend Micro showed 12 per cent of British organisations didn’t know they were required to comply.

 

This may not come as a surprise, as 14 per cent admitted they don’t follow the UK’s Data Protection Act either. Meanwhile, 30 per cent of EU respondents aren’t complying with current regulations.

 

Less than half of organisations polled knew the extent of the fines they could face after the GDPR is implemented, while 18 per cent weren’t aware that a financial penalty could be imposed at all.

 

James Walker, a security adviser at Trend Micro, said: “It’s a lot for businesses to take in – and thus far it seems as though they haven’t taken it in. There does seem to be a major lack of understanding.”

 

He added that enterprises must begin preparing as soon as possible, and planning should take place from the boardroom down.

 

The possibility of incurring a €20 million fine for data protection failures will no doubt have compliance officers scrambling to ensure their businesses are ready for the GDPR in 2018.

How can businesses prepare?

Law firm Allen & Overy recently said that while two years may seem a long time, some of the accountability frameworks that should be put in place may take months to properly integrate. The company also provided a number of tips on how to prepare for the changes.

 

First, businesses must introduce clear data protection policies to ensure they are agile to potential breaches and can inform the relevant authorities quickly. Establishing an accountability framework is also important, while encouraging a culture of monitoring and assessing data-handling processes.

 

Any privacy notices and policies should be outlined in transparent language without obfuscation so that individuals can easily understand what will happen with their data. People will also have a lot more control over how their information is used, which means businesses must have legitimate reasons for storing data.

 

Organisations were also advised to take more care with international data transfers where the recipient nation does not have sufficient protection. According to Allen & Overy, this is not a new problem, but it becomes particularly relevant now that punitive measures are so stringent.

 

Ultimately, businesses must ensure they have the right people, processes and procedures in place to comply with the GDPR. Data has become an incredibly important asset, but companies could find it’s an expensive liability if they fail to handle information correctly.

 

Our Market Reports combine our review of the prevailing conditions in the compliance recruitment market with the results of our latest employer survey.

 

Image: StockFinland via iStock