The consequences of non-compliance demand companies that collect, store or process personal data overhaul their data strategies.
Companies and organisations need to be fully aware of the regulation and its implications, as non-compliance can lead to significant fines.
The European Commission is implementing GDPR, but the implications go beyond the borders of the EU, as they do apply to some companies outside of the zone. Many UK businesses are underprepared for the GDPR, which is cause for concern.
An organisation is only exempt if it categorically does not collect or process any personal data drawn from the European market, offers goods or services nor tracks or creates profiles of European citizens.
In addition, GDPR expands liability beyond the current directive to include data processors as well as data controllers.
The key things the GDPR does include increasing the individual’s expectation of data privacy and an organisation’s obligation to follow established cybersecurity practices.
Any violation of GDPR, such as poor data security leading to public exposure of sensitive personal information, could result in a fine in the millions or even billions of dollars depending on the size of the organisation and its income.
GDPR also imposes detailed and demanding breach notification requirements. Companies that need to comply in America that are accustomed to US state data breach reporting may need to adjust their breach notification policies and procedures.
The regulation also requires many organisations to appoint a data protection officer (DPO), if core activities, as either a data controller or data processor, involve “regular and systematic monitoring of data subjects on a large scale.”
According to Dr Jamie Graves, CEO at ZoneFox, the GDPR is a game changer in every way, from bolstered rights for individuals through to a daunting new fine structure designed to hit companies exactly where it hurts – their bottom line.
“It is the sort of overhaul that gives even the most seasoned executive team sleepless nights, due to its complexity and how it touches on every aspect of their business.
“The starting gun has officially been fired and one thing is for sure: from day one, the EU will not be accepting excuses. They believe organisations have had more than enough time to prepare. Those companies that haven’t started to unravel what GDPR means for them need to get proactive.”
GDPR is all about data. It is imperative that organisations have a full, 360-degree view of data entering, leaving and being stored within their business. This visibility can then be used as a foundation to assess and restructure processes in order to ensure compliance, advises Graves.
Though complicated, GDPR also presents companies with an opportunity. With data breaches becoming increasingly common and personal, by being compliant companies can demonstrate their commitment to data security and privacy.
“After all it’s not just money companies have to lose – their reputations are also on the line,” he says.
