The new General Data Protection Regulations (GDPR) come into place in May 2018, you need to start preparing now as time is fast running out.
Changes to the governance of data will have far-reaching consequences for businesses, GDPR will determine how your business does business, and particularly how it manages, protects and administers data in the future.
Europe has a plethora of different data protection regimes in each EU country. Organisations have to deal with many different sets of rules depending on where they setup their business and sell their products or services. The GDPR will harmonise data protection laws across the EU and will also apply to organisations across the world. Any company that processes personal data about EU citizens whether they reside in the EU or elsewhere in the world will need to abide by the GDPR.
European companies are still wrestling with how they are going to be compliant with the law in less than a year. Companies from other parts of the world may not have even heard of the GDPR, and therefore might not be aware of the possible impact upon them. As citizens from EU countries do business and exchange data with companies across the globe, the GDPR is something that international companies outside the EU need to be aware of and should be planning for. Failing to do this could seriously hinder their ability to market and sell their products and services in the EU.
Who needs to be GDPR compliant?
It is imperative that organisations that offer goods and services to EU citizens, and that subsequently process their personal data, are compliant with the GDPR.
A global study by Veritas showed that businesses are worried that they will not be compliant by the May 2018 deadline. Research showed that 56 per cent of respondents in Singapore, 37 per cent in the US and more than 60 per cent in Japan and South Korea, are worried they will be unable to meet the May 2018 deadline for compliance.
More than 90 per cent of organisations in Singapore showed concern by the potential business disruption from GDPR. Around 20 per cent fear that their company may go out of business as a result.
These are alarming figures for foreign companies that do business in the EU.
The GDPR represents a shift across the world towards a culture of safeguarding personal data, especially considering the global reach of the legislation.
What you should already be considering
As the clock is ticking companies should be working towards compliance in a structured manner including:
- rolling out GDPR awareness programmes across the business;
- ensuring representation and input from all key business functions;
- data mapping all personal data flows in and out of the organisation;
- creating an information asset register; and
- undertaking a gap analysis against the GDPR compliance requirements, including consent notices, privacy impact assessments and contractual arrangements with 3rd parties with whom personal data is shared.
These will form part of the building blocks to determining how much further work is required for the business to be compliant by Spring 2018. Many businesses will require significant changes to policies, procedures and working practices. Smaller businesses which collect process and store limited personal data may be less affected but may still need to make some changes to comply with the new legislation.
Clearly organisations that started to work towards GDPR compliance early on are ahead of the game and have a better appreciation of the level of effort that’s required to make some of the changes required to comply.