May 2020 marks the second year that GDPR has been in effect and we have already seen some significant fines totalling over $126 million. Google has taken the biggest hit so far with a January 2019 fine of $53 million from the French data protection watchdog. But what has it meant for small to medium sized businesses? To date, for most businesses, the launch of GDPR has meant a lot of hype with often expensive legal bills and to reassure their large customers that they are “compliant”. But other than perception in the market place is anything actually happening?
Looking ahead, many GDPR commentators expect that the number of fines will only increase in the coming year. Even if your business hasn’t been affected in the last 2 years, your organization should pay attention now as the regulators are staffing up their enforcement teams for more activity this year. In fact, over 160,000 data breach notifications have been reported across Europe in the last 2 years and the regulators need time to build a case against an organization before the fines can be imposed and we read about them in the news.
To avoid being a breach statistic, GDPR is one of the global standards that we recommend our customers think about with their compliance program. GDPR (General Data Protection Regulation) is a European Union law that covers data protection and privacy both in the EU and addresses the transfer of personal data outside the EU.
So how do you know if GDPR affects your organization?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. If your company has a web site, social media presence or international business customers you will be affected. So it might come as a surprise to many US-based businesses that they are required to be GDPR compliant.
How can my organization become GDPR compliant?
If you are already complying to other privacy regulations, such as HIPAA, you have likely made a start on the requirements from GDPR. You will need to:
- Know if your company may collect identifying data from an EU citizen at any time.
- Evaluate and update your privacy policies around how you currently handle permission to use, correct, transfer or store personal data. Be sure it conforms to the GDPR’s definition of personal data as well.
- Examine your online marketing strategy and tactics. How do you collect data like email addresses? How do you ensure consent? For example, pre-checked permission boxes to contact someone again are not allowed.
- Update your security incident response plan to include informing the EU regulator or supervising authority within 72 hours of a breach. Sensitive data like healthcare or financial information, as well as any associated data about children, or a large number of email addresses, falls into the high risk category.
- Update your privacy and security training curriculum to include GDPR definitions and requirements.
- Assess how your technology needs to handle the GDPR security controls, like access and monitoring, and data encryption.
- Ensure your privacy and security compliance support platform either has or soon will have GDPR compliance support capability.
How can MyVCM help with GDPR compliance?
Using a compliance tool, such as MyVCM, can help simplify the process of being GDPR compliant. Some examples where it can help you include:
- Build an effective security program against any one of the many built-in security frameworks to meet GDPRs industry security requirements.
- Establish, maintain and disseminate required cybersecurity and privacy policies, standards and procedures?
- Track assets, what data they contain and who has access to them, and many other Asset Management controls.
- Track and manage all Data Subject Access requests.
- Define clear roles within your organization and limit Personal Data (PD) access to only those who require it to perform their role.
- Implement third-party management controls to make sure any vendor with access to the data is also GDPR compliant.
The MyVCM platform contains GDPR templates that will help your organization with a gap analysis to quickly see what work is required to make your organization GDPR compliant. MyVCM also allows you to “crosswalk” compliance documents from other regulations so you can save time by avoiding the duplication of work when information is required for more than one regulation.
Penalties for data breaches under GDPR can range from 2% to up to 4% of a company’s annual global revenue (or up to $20 million). Failure to comply with GDPR, audit failure, or a data breach that goes unreported for more than 72 hours, among other factors, helps determine the penalty level. In a recent Forbes article the writer suggests that “firms can best position themselves for the future by acknowledging that the era of unlimited data collection without consequence is likely ending.”
If you want to learn more about GDPR talk to an expert at Ostendio. We’ve been helping customers for over 7 years with all their data security and compliance needs. We’re happy to offer advice and show you how easy it is to build, operate and showcase a compliance program using the MyVCM platform.