GDPR is a sweeping and far-reaching update to the European Directive on Data Privacy from 1995. It harmonizes data protection requirements across all 28 Member States, introduces new rights for data subjects, and applies extra-territorially to any organization controlling or processing data on natural persons in the European Union.
Complying with GDPR is not optional. If your organization controls or processes personal data on natural persons in the European Union, GDPR almost certainly applies to you. There are a whole host of requirements and mandates that need to be in place when GDPR comes into force, not least of which is that when a data breach occurs, the local data protection authority and all affected data subjects must be notified within 72 hours.
GDPR requires data controllers and processors to implement both organizational and technical safeguards to ensure the rights and freedoms of data subjects are not compromised. Organizational safeguards include data protection impact assessments, data protection by design for both structured and unstructured data, and the appointment of a data protection officer who reports to the highest level of the organization.
Technical safeguards include pseudonymization, encryption, and various capabilities for identifying and blocking data breaches, ensuring data security, and automatically identifying and classifying personal data, among others. It is important to note that a “data breach” according to the GDPR also includes “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”, and so preventing unauthorized use or access must also be considered as a key element of GDPR compliance.
The deadline for being compliant with GDPR is rapidly approaching, and the transitionary period between the earlier Directive and the new Regulation is on now. Once the Regulation goes into force on May 25, 2018, organizations will be expected to comply immediately from that date. Most organizations are not yet adequately prepared for compliance with the GDPR.
Being non-compliant with GDPR will be very expensive. In addition to other financial consequences, there are two tiers of regulatory fines, the more expensive of which is a fine of up to €20 million or four percent of the annual worldwide turnover for the organization, whichever is higher. However, there is a need for continual compliance with the GDPR since a failed audit can have damaging financial consequences.
Compliance with the General Data Protection Regulation is a complex challenge. Let Tier4 take the complexity out of the equation. Complete the Tier4 GDPR Applicability Checklist. For an immediate response, Joel Andersen is available by email joel@tier4advisors.com or phone at (678) 712-8340 to schedule an appointment with our GDPR experts.
Tier4 Blog Edition 33: March 28, 2018