Consequences of not being GDPR compliant

GDPR is due to be implemented on May 25th, 2018 and the regulation places important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located. GDPR gives individuals more say over what organizations can do with their data, with strict fines for non-compliance and breaches. With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.

Penalties for non-compliance of GDPR will be applicable to both data controllers and processors and will depend on certain factors, including:

  • Duration of the infringement
  • The quantity of the data subjects affected
  • Level of impact

For serious violation of the regulations, penalties businesses could be fined up to 20 million euros or 4% of global turnover, whichever is higher. Other fines carry penalties up to €10M or up to 2% of the total global revenue of the preceding year, whichever is greater. These punishments show it is important that compliance is met and GDPR is not ignored.

GDPR compliance is not just about fines or punishments, the risk of non-compliance can be extremely expensive in other ways. According to recent research, cyber-attacks can cost businesses anywhere from $14.00 to $2.35million per incident and data breaches and attacks are growing all the time. Therefore, the cost of an attack on an organization can have a significant impact. Lastly, there is the cost of the brand and reputational damage post attack.

Consequences of non compliance of GDPR

GDPR Implementation – 10 Step Action Plan

The European Union’s General Data Protection Regulation (GDPR) which comes into effect from May 25th, 2018 represents sweeping new legislation designed to protect data rights of EU residents. It affects every organization that interacts with an EU resident in any waywherever that organization may be. Fines for failure to be GDPR compliant can be severe: 20 million euros or up to 4 percent of global revenues, whichever is greater.

While some organizations have already implemented processes and software and appointed DPOs to take care of their GDPR compliance, many organizations are still finding their way. Marketers, in particular, need to educate themselves on GDPR and take action to ensure they’re compliant in the ways they collect, manage,  process and share information.

While every organization needs proper consultation and legal advice on being GDPR compliant, here are 10 things to do and consider as a framework for GDPR compliance to give you a head start on your own efforts, or to compare to the work you’ve already undertaken:

(1) Raise awareness and create alignment, educate all the company stakeholders so that they can anticipate the impact and potential risks of GDPR

(2) Map your information and perform a detailed data audit. In particular, you need to have answers to the following basic questions about your data:

  • Who are our data subjects? Who has access to sensitive data?
  • Where do we keep their personal data? Where do we transfer personal data to?
  • Why is personal data under our control (for what legitimate purpose)? Why do we share it with third parties? Do third parties share it with other entities? If so, who, how many and to what purpose?
  • When are we keeping personal data until? When do we share personal data with others?
  • What mechanisms do we have in place to safeguard personal data?
  • How is data being processed? How long should it be kept?

(3) Do a full review of current privacy notices and ensure that these will align with requirements under GDPR before it takes effect. At the minimum, the following points should be covered:

  • The identity of the controller and of the data protection officer.
  • Conservation period (how long data will be kept).
  • The right of access, rectification, restriction, and objection.
  • Right to lodge a complaint.
  • Recipients and transfers of data.
  • State the right to withdraw consent at any time.
  • Explain the legitimate interest of the controller or of a third party (if relevant) in the collection of the data.

(4) For being GDPR compliant, organizations must be able to demonstrate that they can respond to a data subject’s personal data request, and generally, this must be done within 30 days.

(5) Perform a Privacy Impact Assessment (PIA) – review your data processing activities and identify and document the legal basis for each type ensuring that no personal data is collected beyond the minimum necessary for each specific purpose of the processing.

(6) Manage consent of data subjects and ensure that consent is sought, obtained and recorded according to new guidelines, and that you are able to respond to inquiries regarding consent.

(7) Ensure data security and implement a process to report data breaches by providing a mechanism(s) to pseudonymize, encrypt or otherwise secure personal data

(8) Privacy by design and default clause of GDPR compliance requires that all consumer interactions and touch points have privacy designed right into them and that their default mode is one of compliance. To implement this clause, plan, design and perform your data processing activities where by default, only personal data which is necessary for each specific purpose of the processing should be processed

(9) Appoint a Data Protection Officer (DPO) providing him/her with tools to maintain audit trails of processing activities to demonstrate accountability and compliance, liaise and assist supervisory authorities and monitor compliance with data protection laws

(10) Ensure that the data you’re collecting can be easily transferred or given back to consumers whenever they ask for it in a format that can easily be transferred to another data controller (this is known as “data portability”).

Where to start?

While all of the above-mentioned points are critical, if you want to kickstart your efforts, a good place to start is with information mapping and a data audit (#2 above). Not only will this help with GDPR compliance, it will also enable you to better understand your customers and make smarter choices when planning and allocating your 2018 budgets.

Technology has an important role to play as well in your endeavor to be GDPR compliant. Implement a tool like LuitBiz that has built-in GDPR compliance rules to manage all your data and documents using just one integrated and easy to use cloud-based software. This will help your organization not just compliant with GDPR but also better positioned to personalize your marketing activities for better ROI.