Enacted on May 25, 2018, the General Data Protection Regulation (GDPR) shook up the privacy world by enacting some of the strongest consumer protection laws ever seen. Any industry that processes the personal data of European Union residents was affected, and the regulation was designed to force organizations to implement the appropriate processes to manage consumer privacy and build consumer trust.
One year later, we reflect on what’s changed – and where we’re headed in 2019.
Stronger Enforcement is Coming
The GDPR was announced in 2016, giving organizations two years to enhance their privacy processes in preparation of the May 25, 2018 deadline. Organizations that are not compliant could face stiff penalties including:
- A warning in writing in the cases of first and non-intentional noncompliance
- EU Commission-directed data protection audits
- Restricting access to data, including definitive and permanent bans
- Loss of the organization’s ability to operate in the EEA and EU Member States
- A fine of up to €20,000,000 or up to 4% of the annual worldwide revenue of the preceding financial year in case of an enterprise, which is greater
- Damaged reputation
Despite the two-year warning, many organizations waited to update their privacy policies and features, causing a last-minute scramble and messy implementation. In January of 2019, Google was fined £50,000,000 by France’s data protection authority (DPA), who charged Google with a lack of transparency and consent in advertising personalization (including a pre-checked box to personalize ads for the consumer). In the United Kingdom, over 96,000 complaints with the GDPR have been filed since the GDPR implementation date.
Even with these high-profile cases, it may feel like GDPR enforcement has been relatively quiet – but we think that’s about to change soon. As a regulation, GDPR is mandatory for organizations to follow. As a regulation, each member state in the European Union had to create its own laws and regulations to enforce GDPR. To date, there are still nations that have yet to ratify laws to enforce GDPR, including Bulgaria and the Czech Republic. But as GDPR continues to grow in popularity and importance, more nations will create laws to enforce it.
In 2019, we expect to see more fines – especially from the countries that are leading the charge like Germany and France. Germany has been extremely proactive with enforcement and will only crack down harder in the coming years. Even the United States is showing increased interest, as evidenced by the Federal Trade Commission expected to fine Facebook up to $5 billion for privacy violations. As GDPR increases in importance, it is important to take proactive steps to ensure compliance for your organization.
The Dos and Don’ts of GDPR
Because a year has passed since GDPR’s implementation, there has been plenty of time to study misconceptions and mistakes to avoid. Some of the biggest misunderstandings can be avoided by following these tips:
Do Appoint an Article 27 Representative
If your business is not based in the European Union and offering goods or services directly to EU residents (including through the internet), you are required to appoint an Article 27 representative for your business. Article 27 representatives hold an organization’s EU-based data and communicate on the organization’s behalf to EU authorities. Failure to appoint an Article 27 representative can lead to steep administrative fines – up to €10 million or 2 percent of global turnover. If you are not offering goods or services to EU residents, an Article 27 representative is not required.
Do Think About Personal Data of Staff
The GDPR covers the data of all EU residents – this applies to not just your customers, but your employees too. Many organizations are rightly concerned about updating processes and procedures to protect customer and client data in full compliance with GDPR but forget to update their internal systems for tracking and processing staff data. Don’t let this oversight cost you GDPR compliance.
Don’t Entrust it to One Department
GDPR is a serious requirement that touches many facets and departments of an organization – leaving compliance to a single department can overwhelm them and leave crucial team members throughout the organization in the dark.
While the IT department will be needed to make key GDPR changes, it is important to engage staff of all levels through training that explains how GDPR affects them, the business and your customers. The more everyone understands GDPR, the higher the likelihood of achieving compliance.
Do Undergo GDPR Regardless of Size
Any organization, even the smallest of businesses, that processes the personal data of EU residents must comply with GDPR.
Becoming GDPR Compliant
An unfortunate side effect of GDPR’s importance is that an entire industry has developed overnight offering GDPR certification programs – but no official program exists. These certification programs are currently meaningless, as the only way to become GDPR compliant is to meet regulatory requirements yourself.
Thankfully, A-LIGN can help. To help you meet GDPR compliance, we have developed two customized packages that fit the unique needs of any organization.
The GDPR workshop is ideal for organizations who are unsure of how GDPR may impact them and are seeking the assistance of privacy experts. The GDPR workshop package includes:
- Full-day workshopping session: This workshop will be an introduction to the basics of privacy, GDPR and related privacy regulations.
- High-level identification of GDPR-covered data: Through interviews and conversations with an organization’s staff, A-LIGN will identify the data that would be covered under GDPR.
- High-level gap assessment and analysis: Once the data has been identified, the A-LIGN team will conduct a high-level gap assessment and analyze the areas that could potentially require remediation to comply with GDPR.
Following the workshop, the organization will receive a document summarizing the GDPR-covered data and a gap assessment.
The GDPR assessment package is for organizations looking for more robust GDPR reporting. It includes:
- Gap Assessment: A-LIGN’s gap assessment includes a review of your organizations existing policies and procedures to meet the relevant requirements of the GDPR. The gap assessment identifies and ranks your organization’s gaps by risk level, providing your organization with a clear path to begin remediation and a roadmap towards compliance with the GDPR.
- Data Mapping: A-LIGN’s team will conduct interviews with the key organization members from Human Resources to Information Technology to understand the data processing activities that expose your organization to the GDPR pursuant to Article 30. The data mapping exercise deliverable is a detailed mapping of data processing activities and the data protection mechanisms that your organization has in place to meet its requirements under the GDPR.
Following the assessment, the organization will receive a full gap assessment report and data processing activity mapping document.
Enterprise GDPR Solutions
There is no “one-size-fits-all” solution for enterprise-level organizations, which is why we developed customized enterprise solutions that can include the following:
- GDPR Workshop and Assessment Packages
- GDPR Advisory Services: Your organization requires customized privacy solutions powered by A-LIGN’s GDPR advisory services. A privacy expert will work with your team to understand how privacy impacts your business.
- Policy and Procedure Development: Privacy doesn’t happen by accident, which is why A-LIGN’s experts will work with your organization to develop policies and procedures that bridge and remediate gaps and build a culture of privacy by design.
Not seeing the privacy service you’re looking for? A-LIGN’s privacy team can build a customized package for your unique needs, including services like privacy impact assessments.
Need to achieve GDPR compliance for your organization? Reach out to our privacy assessors at 1-888-702-5446 to learn more about our privacy offerings or contact us for more information.