As of May 25, 2018, the new General Data Protection Regulation (GDPR) takes place. While the regulation is an EU one, coming from the UK’s Information Commissioner’s Office (ICO), it pertains to U.S. companies operating within the EU and/or handling EU citizens’ data.
Data breaches result in heavy collateral damage to companies including the loss of customers and plummeting stock value. According to the 2017 Ponemon Cost of Data Breach Study, U.S. businesses lose an average of $3.6 million per data breach. The Equifax data breach led to the company’s stock price falling by about 20% while Yahoo’s sale price was reduced by $350 million when it was damaged by the largest breach in history.
In addition to these losses, the GDPR allows for individuals to bring claims and receive compensation if they have suffered damage as a result of noncompliance. Further, the GDPR allows for hefty fines, including $22 million or 4% of a company’s global revenue—whichever is higher.
The ICO moves the compliance needle further away from a tick mark on a compliance checklist and more toward full-integration into the framework of a company’s privacy and operational culture. GDPR stipulates that companies maintain adequate data records; notify regulators in the event of data breaches; ensure customers the right to be forgotten; and enable customers to take their data with them.
To meet these requirements, you’ll need to document what personal data you collect and hold, as well as where it came from and with whom it was shared. If your organization doesn’t have current procedures in place for these things, it may require an information audit. You’ll also need procedures in place to detect, report and investigate data breaches. It’s not uncommon for organizations to identify a data breach months afterward. If you fail to report a breach in a timely manner, even by accident, you can be fined $11 million or 2% of “global turnover”. Again, whichever is higher.
Further, you must appoint a Data Protection Officer (DPO) if you are a public authority, conduct monitoring of individuals (e.g., online behavior tracking for marketing purposes) or process (or are involved with processing) sensitive data, like health or criminal records. A Data Protection Officer cannot have a dual role as CTO or another position that may create a potential conflict of interest.
Another expansive requirement within the GDPR includes the provision of more information to customers, including data retention and the consumer complaint process to the ICO. The provision also allows for additional customer rights to access their data, correct inaccuracies, erase their data, and transfer their data safely. These requests must be completed within 30 days and free of charge (although there are contingencies for excessive requests). Finally, there must be parameters in place to protect from direct marketing and profiling including changes to consent as GDPR clearly states that consent must be clear and involve an affirmative action. This effectively bans pre-checked opt-in boxes and mandates that consent be separate from other terms and conditions.
As the deadline approaches, is your company ready?
With stringent requirements and hefty fines, it’s no surprise that a 2017 GDPR Preparedness Pulse Survey conducted by Pricewater Cooper Consulting found that 92% of respondents considered GDPR compliance a top priority within their data privacy and security agendas while 77% planned to allocate at least $1 million toward the effort.
While we’ve captured some of the key requirements here, this blog is by no means exhaustive. Make sure you’re up to speed on all the changes and requirements. At SmartFile, it is our goal to support our customers to the best of our ability. We will continue to provide top-notch service and support to all we serve.