European regulators are giving individuals new rights to control how their personal data is used. A new law, the General Data Protection Regulation (GDPR), scheduled to become effective May 25, 2018, is the most important change in data regulation to come from European Union (EU) regulators in 20 years. It introduces strict new rules for the protection of the personal data of EU citizens, and applies to any company that collects or processes such data. Organizations with customers or employees in the EU should prepare now to avoid big fines and potential legal liability.
We’ve been getting a lot of interest in this topic and will be doing our best to keep you advised and informed on this important change so that you can be prepared when the regulation becomes effective. Not surprisingly, given the scope of change this regulation will require, our GDPR webinar on July 18 was very well attended. Below is an overview of part of that discussion.
GDPR expands the scope of previous EU regulations to include any data processor or data controller that processes the personal data of EU residents. It mandates data portability, imposes stricter conditions for consent and data retention, and dramatically increases fines and penalties for violations.
U.S. companies, take note: Compliance with GDPR is going to require some heavy lifting. The regulation only allows data transfer between countries with “adequate” data protection laws. Currently, the United States does not meet this requirement, which means U.S. companies will have to employ data transfer mechanisms (such as Privacy Shield) if they want to continue doing business — even online — with EU data subjects.
Other notable changes include:
- A requirement that EU citizens must specifically “opt in,” or grant permission for their data to be captured. Under the GDPR, consent may be revoked at any time, and implicated data must be erased.
- The mandatory appointment of a data privacy officer (DPO) in some circumstances.
- 72-hour breach notification requirements (common in the U.S. but not in Europe until now).
Companies will feel these changes throughout their functional areas, but particularly in their legal, IT security, business, sales, data collection and marketing departments. There are no exceptions: GDPR applies to companies of all sizes, regardless of whether data is kept in-house or in the cloud. GDPR applies to existing customer data, not just new customers.
What will this sweeping change cost? We estimate the cost of compliance to be in excess of $1 million for companies with more than 10,000 employees. The cost of not complying, however, is even higher, with the penalty cap raised from 500,000 euros to 20 million euros or 4 percent of annual global revenue, whichever is greater. In addition, consumers will be allowed to claim compensation for damages resulting from breaches of their personal data.
There are several steps companies should be taking now to ensure that they will comply with GDPR by the 2018 deadline. Protiviti has been working with many companies to develop a roadmap to compliance. In addition to appointing a DPO, we recommend:
- Inventorying all personal data
- Conducting a data protection impact assessment
- Identifying compliance gaps
- Protecting personal data by design and by default
- Developing a framework for GDPR compliance
We will be discussing these preparations both here on The Protiviti View and in future publications. Bookmark our website or subscribe to follow us here to stay abreast of developments.
Internal audit is uniquely suited to help organizations assess compliance, determine scope and recommend changes. We will be exploring internal audit’s role in this transition in more depth in a follow up post.
It is hard to overestimate the impact of GDPR, which has the potential to do for data privacy what Sarbanes-Oxley did for financial regulation. This is not a matter of updating a few policies. There will be need for changes to applications, as well as changes to contracts and third-party relationships. And we haven’t even touched on data portability.
If you haven’t yet begun the assessment process, there is still time, but the window of doing so comfortably is closing.
Protiviti will be holding a series of roundtable discussions in major cities around the United States. We encourage you to attend one if you can. Details are available on our website.