U.S. businesses that process personal information from EU residents have until May 2018
A data breach will cost a U.S. business $3.6 million on average, according to the 2017 Ponemon Cost of Data Breach Study.
Large organizations risk more – Yahoo's sale price was reduced by $350 million when it was damaged by the largest breach in history.
To protect businesses and their customers, the EU is introducing stringent data privacy rules when the General Data Protection Regulation (GDPR) is introduced in 2018. Businesses that fail to comply with GDPR requirements will face massive fines: up to $22 million or four percent of global revenue, whichever is higher.
GDPR won’t just affect EU-based businesses. U.S. companies that process personal information from EU residents have until May 25, 2018, to comply with the regulation or risk fines.
With GDPR on the horizon, what can businesses do to protect themselves? U.S. companies are already allocating millions of dollars to accommodate the GDPR law, but more must be done. Businesses cannot afford to wait until 2018 to begin their preparations. Here are 9 GDPR requirements you must meet for 2018.
Here are nine GDPR requirements you must meet for 2018.
1. Awareness is the first step
An awareness of GDPR is the first requirement, and no progress toward compliance will be made if the decision-makers in your company are not aware of the new laws. These key people should understand the impact of GDPR and understand the areas of the business that will be most affected when the law is introduced.
Becoming GDPR compliant will consume your company's resources; 68 percent of U.S. multinationals are setting aside between $1 million and $10 million for GDPR-readiness projects.
Raising awareness and preparing for GDPR in advance is crucial for larger organizations that will typically have more channels for acquiring and storing customer data. Don't wait until 2018 to start preparing for GDPR comprehensive reforms.
2. Identify and train your data protection officer
To comply with GDPR, you must appoint a data protection officer (DPO) if you are a public authority, conduct monitoring of individuals (e.g., online behavior tracking for marketing purposes) or process (or are involved with processing) sensitive data, like health or criminal records.
DPOs must inform and advise your organization and employees about their obligations to conform to GDPR as well as other data protection laws. They must also manage the organization's internal data protection activities, train staff in data protection, conduct internal audits and be the first point of contact for supervisory authorities.
DPOs report to the highest level of management in the organization – the board level – and must be provided with the resources they need to perform their duties.
You can appoint an existing employee as your organization's DPO, but they must have professional experience and knowledge of data protection laws. Most businesses are unlikely to have such an individual.
Luckily, organizations can skill-up their nominated DPOs in data protection in time for GDPR. There are a number of data protection courses aligning to a Data Protection Officer certification and GDPR training.
3. Track your data to report data breaches
Data breaches are catastrophic and the cost to businesses will increase when GDPR fines are introduced.
GDPR introduces a requirement for all organizations to report certain types of data breaches to the relevant governing body and your customers. You must notify the relevant stakeholders if your data breach will result in discrimination, damage to reputation, financial loss or loss of confidentiality of individuals.
To do this, you'll need proper procedures in place to detect, report and investigate data breaches. It's not uncommon for organizations to fail to realize their data has been breached until months after the attack. If you're among them, you'll be fined under GDPR.
You will need to track the types of data you hold and document when you would be required to notify the ICO. If you fail to report a breach, even by accident, you'll be hit with a fine – 2% of global turnover or $11 million, whichever is higher. This is in addition to the fine you’ll pay for the breach itself.
For more information, including how to report a data breach, read this comprehensive documentation from the ICO.
4. Identify where you share information with other organizations
Under GDPR, if your business shares inaccurate personal data with another organization, you must notify the other organization of the inaccuracy.
To do this, you’ll need to first document what personal data you collect and hold, where it came from and who you shared it with. You may not currently have procedures in place, and this may require an information audit across your organization.
5. Communicate privacy information
When your business collects personal data, you currently must provide certain information, like your identity and how you intend to use the information.
Under GDPR, all companies dealing with information of European citizens will need to provide more information to customers. You'll need to clearly explain:
- Your lawful basis for processing EU citizens' data
- Your data retention period
- That individual can complain to the ICO if there is a problem with your data handling
6. Ensure your data procedure covers individual rights
When GDPR is introduced, individuals (your customers) will have more rights, and your data protection procedures must reflect that. GDPR means individuals will have the rights to:
- Access their data
- Have data inaccuracies corrected
- Have their data erased
- Prevent direct marketing, automated decision-making and profiling
- The right to data portability (safely moving personal data from one IT environment to another)
- You'll need to provide this data in a commonly used structure and machine readable form. It must also be provided free of charge.
7. Respond to subject access requests quickly
Under GDPR, individuals have the right to receive a copy of the personal information held about them by a company. This is known as a subject access request.
Businesses are obligated to comply with these requests in a timely manner under GDPR. You cannot charge for these requests, and requests must be completed within a month, though you can refuse a request if the demands are unfounded or excessive.
However, refuse a request and you must inform the individual why. Be aware that they then have the right to complain to a supervisory authority.
If your business typically handles a high number of these access requests, you should consider how your business will be affected by having to deal with requests within 30 days. It might be worth considering developing new systems that allow individuals to access this information online.
8. Consent (eliminate your preticked tick boxes!)
GDPR sets a high standard for consent and could mean a major overhaul of how you obtain consent from your customers. GDPR is clear that an indication of consent must be clear and involve an affirmative action.
Functionally, consent should be separate from other terms and conditions, and should not be a precondition of signing up to a service. What’s more, GDPR specifically bans preticked opt-in boxes.
For more information on consent under GDPR, take a look at this comprehensive documentation from the ICO.
9. Data protection for children
GDPR will introduce special protection for children's personal data. Businesses must start implementing systems to verify ages or obtain guardian consent for any data processing.
GDPR has determined that at age 16, a child can give their own consent to data processing. If a child is younger than that, you will need to get consent from a parent or guardian to process their data. More information on Children’s personal data on GDPR can be found here.