GDPR: The Good, The Bad and the Scary.
Is your company affected by the new GDPR regulations? Ask these questions:
- Does the company have a presence in a EU country?
- Does the company hold any personal information about an EU citizen?
- If your company has retained any information on any EU citizen, have you protected that information against potential breach’s?
- Has your company yet to assess the materiality of the impact of the regulations (also known as Data Protection Impact Assessment)?
- Has your company yet to assign a Data Protection Officer?
- Has your company yet to develop processes to enable various rights an EU citizen may invoke, such as the right to know what information you possess or the right to be forgotten?
- Has consent for any processing performed on EU citizen information held yet to be obtained?
If you answered yes to any of the questions above, this blog is for you.
Based on your answers, your company is required to comply with the General Data Protection Regulation (GDPR) by May 25th, 2018. This is expected to set new standards in regard to your data collection, storage, retention, and security policies.
Here is a look at the good, the bad and the scary for your business and the people whose data you are collecting.
What would the GDPR protect?
The GDPR will protect privacy data such as:
- Basic Identity Information (Name, Address, etc.).
- Web Data (IP address, Location, Cookies, History, Etc.).
- Biometric data.
- Health and genetic data.
- Political affiliation.
- Ethnic/Racial data.
- Sexual orientation.
- Religious affiliation.
- Personal preferences.
What will GDPR cost my company?
Recent surveys say that 68% of U.S. based companies expect to invest 1 to 10 million to meet requirements and another 9% expect to spend more than 10 million[i].
But this is not the end. GDPR is not a single, one-time event. GDPR requires continuous active monitoring, and a visible, proactive data governance program to assure EU citizens are protected, and their rights can be exercised appropriately.
What will happen if your company is not in compliance?
You can expect steep fines. Violators will be placed in one of two penalty tiers with the highest tiers of over 20 million Euros or 4% of the company’s net income[ii].
One recent example of this is when New York’s Attorney General Eric T. Schneiderman announced a $700,000 joint settlement with Hilton after a data breach exposed hundreds of thousands of credit card numbers[iii].
If this data breach happened after May 2018 when GDPR takes effect, that same data breach would have been fined $420 Million USD. Consequently, Hilton agrees to provide expedient notice to consumers of future breaches, reform its data security practices, and conduct regular assessments of its data security program.
Mohit Sahgal, The VP of Analytics for Paradigm Technology had this to say when asked about his thoughts on the Digital Guardian’s article and GDPR.
- Keep in mind that Regulators are getting smarter. You can expect more fines.
- Currently GDPR comprises over 100 articles and recitals that require some degree of treatment. You and your business can’t afford to ignore this.
- Three key requirements that must be addressed:
- Consistent, repeatable data protection processes, including Data Protection (Privacy) Impact Assessment.
- Managing EU citizen personal information, including processing various rights an EU citizen may invoke.
- Appointing a Data Protection Officer (DPO), a senior company officer who is held accountable for the implementation of the Articles.
What should your company be doing to prepare for GDPR?
- Conduct a thorough review of the Articles.
- Conduct an initial DPIA (Data Privacy Impact Assessment).
- Based on the initial DPIA, use the diagnostic to assess key program constructs that require attention.
- Define an implementation blueprint in terms of strategy, process, data, security, technology and people to address the Articles and DPIA findings.
- Identify opportunities for automation (key to enabling and accelerating consistent, repeatable processes, including future DPIAs).
- Create a business case / cost model for the entire program including support, as requirements are released into production.
- Create a high-level program plan that includes key milestones for introducing capabilities in an iterative, incremental and systematic manner.
- Identify a DPO sponsor (possibly existing Chief Data Officer).
- Define the organizational structure, roles, responsibilities, and operating model required to support the program.
- Establish a formal training program to communicate the necessity of the program, accountabilities, work streams, milestones, and on-going change management.
Written by: Frank Golda; Manager of Marketing and Communications.
Paradigm Technology is a boutique consulting company and strategic solutions partner. Paradigm utilizes innovative business solutions to help clients shift their focus to the value we help derive in Analytics, Cloud, and Project Leadership.
For more information about Paradigm Technology email email@example.com or visit www.pt-corp.com.
[i] (GDPR Compliance Top Data Protection Priority for 92% of US Organizations in 2017, According to PwC Survey). https://www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.html
[ii] (GDPR: What It Means for US-based Companies). https://www.schellmanco.com/blog/gdpr-what-it-means-for-us-based-companies
[iii] (A.G. Schneiderman Announces $700,000 Joint Settlement with Hilton After Data Breach Exposed Hundreds of Thousands of Credit Card Numbers). https://ag.ny.gov/press-release/ag-schneiderman-announces-700000-joint-settlement-hilton-after-data-breach-exposed