Is Your Firm Prepared for the New EU Data Protection Rules?

If you do business in the European Union — even if your organization is based elsewhere — get ready. The EU's upcoming General Data Protection Regulation (GDPR) delivers a long list of what one international law firm calls "onerous obligations."

Sure, regulators in Brussels mean well. Their aim, after all, is to protect the privacy and security of EU citizens. But for anyone doing business in Europe, this new regulation could also mean a lot of new work and some suggest businesses are in denial.

Smart IT and security officers will get started now. The new GDPR rules don’t take effect until May 2018. But preparing for compliance could take a great deal of time.

Wide Reach

Are you among those affected by GDPR rules? Yes, if your organization meets any of the following criteria:

• Based in the EU
• Offer any goods or services — including those that are free — to EU citizens
• Monitor the behavior of EU citizens
• Hold and process data on EU citizens

Note that the latter 3 criteria apply no matter where your organization is based. A company based in California would still need to comply with GDPR if it sold products in Spain. So would a Chinese company offering services in Germany. Assuming your organization does qualify under the GDPR rules, here’s some of what you’ll need to do to comply:

• Notify the public of any data breach your organization suffers within 72 hours of discovery
• Prove your compliance with GDPR by providing documentation, impact assessments and data-protection designs
• Hire or contract a data protection officer (DPO) as part of your organization’s accountability program
• Allow EU citizens to easily withdraw their consent from letting your organization process their personal data — and be able to prove that you’ve granted them your consent
• Inform all EU data subjects on the risks of transferring their data before you move their data anywhere outside the EU

What if you fail to comply? You could be fined, big time. The EU rules define a tiered approach, one in which you could ultimately be fined as much as either 4% of your organization’s annual revenue or €20 million (approximately $21.4 million), whichever is larger. This threat is far more than merely theoretical. A new study, conducted by threat management firm RiskIQ, finds that 1 in 3 public web pages of leading UK companies collects personal information from visitors in ways that violate the GDPR rules. Unless the companies fix these pages, and soon, they could be subject to huge fines.

Preparation Needed

So what can you do now to start preparing for GDPR? A recent report from international law firm Allen & Overy recommends that you ask yourself 3 important questions:

1. Under GDPR, what are our new obligations?
2. Do we have GDPR gaps in our current compliance program? And if so, where?
3. Assuming there are gaps, what changes will we need to make…how quickly…and at what cost?

Beyond that, Allen & Overy suggests 8 steps that your organization should take now to prepare for GDPR compliance:

• Get ready for breaches with new policies and procedures
• Establish an accountability framework
• Embrace privacy by design
• Analyze the legal basis of data you use
• Ensure your privacy notices and policies are clear and easy to understand
• Be prepared for data subjects to exercise their rights
• Consider whether you have new obligations to those you supply
• Ensure that you have legitimate reasons for transferring data across national borders

To learn more about these issues, listen to Masergy's webinar "Mitigating the Risks Associated with GDPR".