In a word, yes. The European Parliament published the regulation in the Official Journal of the European Union, making it law on the 25th of May 2016 and giving organisations 24 months to become compliant.
That’s not to say that the regulators will swoop at midnight on that fateful day to hand out fines to organisations that are not compliant, but there is little point in taking the risk.
The legislation in the General Data Protection Regulation itself has been described by various experts as strict, ambiguous, complex and confusing, but for Data Protection Officers and Compliance Managers across the EU (including Britain post-Brexit), it’s not up for debate. So, it’s a case of keeping calm, putting the resources you need behind it, and using the remaining time to ensure your organisation meets the new obligations before the deadline drops.
What’s covered and who is subject to the legislation?
GDPR applies to the personal data of EU citizens and is concerned with organisations that collect or process that personal information, even if the company itself sits outside the EU.
It’s not industry-specific, so it applies to every type of business and organisation, and makes no distinction between business-to-business and business-to-consumer marketing. This means business customer data is also subject to the new rules if it’s personal data.
And if my business doesn’t comply?
GDPR is non-negotiable and the consequences for non-compliance would be too much for most businesses.
Regulatory fines come in two tiers and depend on whether the data controller or processor has committed any previous violations, and the nature of the violations.
- The lower fine threshold is 2% of a company’s worldwide annual revenue, or €10m, whichever is higher.
- The higher threshold is 4% or €20 million, whichever is higher.
What if there’s a data breach?
GPDR not only expects organisations to be compliant and take every measure to remain so, but that they also need to prepare a breach notification plan, just in case something unexpected goes wrong at any time.
In the case of a data breach, organisations must be seen to act quickly, mitigate losses, and notify regulators and any affected individuals of that data breach.
Your Data Controller needs to keep records of any data breaches, but all staff must also be trained to understand what constitutes a data breach and why it will now mean more than just a loss of personal data.
If an organisation has taken steps to minimise the chances of a data breach, such as encryption and pseudonymisation, they are less likely to be hit hard by regulators.
How can pebble.it help?
Data Protection Officers and Compliance Managers will have a good grasp of the regulations and what they mean in practical terms for an organisation, but making the actual changes to processes and procedures may require expert help from a certified GDPR consultant. That’s where pebble.it come in.
We can provide a full GPDR-focused evaluation to:
- Assess the level of personal and sensitive data currently held
- Outline how much of that data is required for business use
- Build systems to manage data collection and protection effectively going forward
- Help organisations better understand their responsibilities as data controllers and processors
- Understand what legitimacy and acceptable use of data means in very practical terms
We can develop appropriate infrastructures and controls that minimise threats and protect against data loss, misuse, theft or compromise.
Working in close collaboration with an organisation’s Data Controller, we can help data decision makers get a better understanding of the personal information moving through their business and:
- Create GDPR-compliant processes
- Manage network security
- Secure physical storage
- Manage information back-up
- Apply appropriate use of encryption
- Educate businesses on safe destruction of information and
- Offer help and advice around cloud-based services and service provider contracts
We can look at encryption of devices, malware security, hardware and software, and promote safe remote working practices.
Governance is key when it comes to the new regulations, so it’s important to raise awareness across the business and ensure understanding of individual and business obligations.
A GDPR consultant can help educate teams on security, accountability and best practice principles, putting all of it to practical use with audit and governance controls that will keep organisations on the right side of the law.
With so much to do, the best advice we can give any business is to take every measure necessary to meet the May 2018 deadline. Legislators gave businesses two years notice to make the changes for good reason, and while it’s hard to say how strict they’ll be come on the 25th of May, no business can afford to be the one that legislators make an example of with fines that run into millions.
Discover what steps you need to take to be compliant and how a certified GDPR consultant can help your organisation meet legislation requirements by downloading our GDPR-readiness checklist: