Many small organizations are already struggling to keep pace with the growing number of government and industry regulations that affect their IT environments. And now a new directive from the European Union (EU) is expected to have a sweeping impact on organizations worldwide when it goes into effect next year.
The EU General Data Protection Regulation (GDPR) is designed to protect the privacy of EU citizens and give them greater control over how their personal data is maintained and used. It replaces EU Data Protection Directives that date back to 1995, and provides for more consistent privacy rules across the EU market.
U.S. businesses should not disregard it, however. The GDPR applies to any organization, regardless of location, that controls or processes the personal information of EU citizens. Fines for noncompliance are substantial — up to 4 percent of revenue — although small to midsize businesses (SMBs) face somewhat smaller penalties.
According to Gartner, more than half of organizations affected by the new rules will not be in full compliance by the end of 2018. Gartner analysts recommend that organizations focus on five high-priority changes to help get up to speed with GDPR requirements:
- Determine your organization’s role. Any organization that decides how and why personal data is processed is a “data controller” under the rules. These organizations should appoint a representative to act as a contact point for the data protection authorities and data subjects.
- Appoint a data protection officer. This is especially important when the organization is a public body, when its core activities involve “regular and systematic monitoring,” or when the it processes data on a large scale. “Large scale” does not necessarily mean hundreds of thousands of data subjects.
- Demonstrate accountability in all processing activities. Very few organizations have identified every process where personal data is involved. Going forward, organizations should establish the limited purpose and relevance of data processing activities and determine how data quality will be maintained. In addition, organizations should establish procedures for obtaining and documenting the express consent of data subjects — implied consent will no longer be adequate.
- Manage cross-border data flows. The transfer of data across national boundaries is restricted under the GDPR. Data transfers to any of the 28 EU member states are still allowed, as well as to Norway, Liechtenstein and Iceland. Transfers to any of the other 11 countries the European Commission (EC) that are deemed to have an “adequate” level of protection are also still possible. Outside of these areas, organizations should establish effective safeguards, such as clauses in contracts, to ensure compliance.
- Prepare for data subjects exercising their rights. A “right to erasure” enables data subjects to request that their data be purged if it’s no longer necessary. Data subjects also have the right to be informed (for example, in the case of a data breach) and to data portability. Organizations should implement procedures for addressing requests from data subjects and adequately handling data breach incidents.
The GDPR goes into effect May 25, 2018, giving organizations less than a year to prepare. If your organization does business in the EU, or holds data on EU citizens, you should start taking steps to ensure GDPR compliance.