2018 is GDPR Year!
There are few days left for the EU General Data Protection Regulation to go fully into effect on May 25th and some of you out there may be panicking!
After all, this is an 88-page legislation with 11 chapters, 99 articles and 173 recitals, with many parts of it still quite vague and open to interpretation (to say the least) and fines for non-compliance going up to 4% of your company´s global revenue or €20,000,000, whichever is greater.
No laughing matter, but no reason to panic either. Seriously now, don´t panic!
The GDPR is meant to upgrade the protection of data privacy rights of individuals and bring the same high standards across the EU, which is a good thing.
It is meant to force organizations to take on a responsible data management and be transparent about how they collect, store and use personal data, which is also a good thing. So, no harm there, right?
Now, we say don´t panic because privacy awareness and relevant legislation in the EU has been around for a while so it is probable that your organization already takes data management seriously and has some safeguards in place, as part of its current compliance policy for data issues, so very few companies actually start from scratch.
Even so, your data policies and internal regulations would have to be reviewed, a thorough mapping of your data management would have to take place and problem areas or vulnerabilities should be identified.
There are plenty of questionnaires, guides, tutorials and all kinds of GDPR-ready material available online, so go ahead and take your pick on how to get initiated. The official EDPS website and the webpage of your national Agency for Data Protection is probably a good place to start.
This should do the trick for simple cases and organizations that do not handle any sensitive personal data, keep their consent forms updated and present very low risk for a data breach.
If you belong to just about any other kind of organization though, you will soon realize that it is probably worth investing in professional consulting on GDPR issues, a first diagnostic of your current status of compliance, an audit or an impact assessment, according to your activity.
When you know your organization needs personalized consultation and training on GDPR:
- you collect, process or store personal data that is considered sensitive
- you transfer personal data to non-EU organizations or countries
- you have no idea whether your organization does any of the above and how
- you marked low in an audit of your current data security system
- you have no idea what privacy by design means
- your activity is linked to Big Data and IoT
- you need to hire a Data Protection Officer (DPO) but you don´t know exactly what for
- you have never assessed the real risk of a data breach nor have a mitigation plan in line
- you have had a data breach in the past
- the informed consent forms you have been using are more than two years old
- you carry out profiling or automatic decision making using personal data
- your employees have never had any formal training on privacy and data issues
You get the point?
Bottom line: we suggest you see this as an opportunity to start doing things right, to improve your organization´s data management policies and review how you collect, store, use and dispose of personal data in a transparent and responsible manner, keeping in mind that this is about making organizational changes as much as it is about legal compliance as such; meaning, there is an important part involving your providers´ and employees´ level of awareness, training and follow-up that should not be neglected.
In our experience, reviewing and implementing this kind of changes can be a challenging process, which you have to do, fair enough. But you don´t have to do it alone and – believe us when we say this – you certainly will not regret seeing your organization come out empowered in a legal, organizational and human level.
If you want more information on our expert GDPR consulting services, including Privacy Impact Assessment and audit services, please contact us with your questions.
Besides this, if you want to be trained as a Chief Privacy Officer (CPO) or if you’d like to know our training options including Master Degree’s and other courses in Technology, Privacy and Security, please visit our Eticas Foundation’s education webpage.