GDPR Compliance is not a suggestion. It almost certainly applies to you. If your organization controls or processes data on people living in the European Union (even if your organization is not located in the EU) it applies. it applies to ANYONE selling into the EU.
On May 25, 2018, the 1995 Data Protection Directive gets replaced by most significant piece of European data protection legislation in 20 years will come into force when the European Union’s (EU) General Data Protection Regulation (GDPR) replaces it.
We have been asked the following:
So the key here is customer consent… is that correct?
Or is the focus on encryption and security ?
(Or both)
The reply/advice we have received is it’s both: getting permission as well as protecting the data.
A key thing is that you have to have PROCESSES in place that deal with different scenarios of customer data getting compromised.
And those processes need to end in “and this is how we notify the authorities when things go “south””.
And of course, all processes need to be documented (that’s the 2% rule, see below), plus you have to have systems/processes in place that make sure your first lot of processes are always up-to-date.
The penalties for GDPR non-compliance
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million.
This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
Regarding the first part (the 4%): that applies to the entire company-structure.
So if you think: “not to worry, this one company that might be affected is only a small thing under my umbrella brand” … think again:
GLOBAL turnover of the ENTIRE company!
As you can see, they explicitly mention ‘not having sufficient customer consent to process data’.
Here’s where things get very scary:
Say if you store customer information with an auto responder provider e.g. Aweber, Get Response, Mail Chimp etc and they get hacked … YOU are responsible!
It is YOUR responsibility to CHECK up-front (and keep checking on a regular basis) that (in this example) auto responder provider are GDPR-compliant
Now it gets even more …..:
Even if you can prove that the auto responder provider messed up and YOU checked in on them on a regular basis … it’s still the 4% of YOUR company that’s on the line (or €20 Million, whichever is the greatest).
You can then TRY to reclaim that from your auto responder provider, but that’s YOUR job. YOU/YOUR company foots the bill to begin with.
Training Resource- https://youtu.be/g6hB9P6-MvI
You can find more information about GDPR from : https://gdpr-info.eu/
Here is an effective guide to assist you along your path of GDPR Compliance, hurry now, the date is set to start May 25th 2018.
This guide is from the RSA. and may help
or contact us for more information on:
GDPR Compliance Review
GDPR Audit