As we approach the enforcement date for GDPR compliance, 25 May 2018, the European Commission has published a new website for applicable entities to help them understand and align their data handling practices with the new law. The EU Commission’s site contains a wealth of information and resources for GDPR implementation, along with additional background on enforcement and sanctions for multiple stakeholder groups (e.g., data controllers/processors, data protection authorities, and data subjects).
Below is an outline of the valuable content accessible on the European Commission’s site for your consideration:
- Rules for Businesses and Organizations FAQs: The page contains an array of GDPR subject matters and a listing of common questions that organizations may have regarding GDPR’s impact on their business. Following the selection of a question, you will find a thorough response and often an illustration, along with specific references to the respective GDPR article(s). If you are a Small to Medium Enterprise (SME), the site offers high-level guidance on appropriately interpreting the GDPR requirements depending on organizational size (e.g., organizations with fewer than 250 employees are not required to retain records of their processing activities).
- Data Protection Infographic: The infographic details the scope of data considered for GDPR, the background on the regulation, the requirements that impacted companies are to abide by and the cost of GDPR non-compliance. It also offers explicit insights on what your clients will value with respect to how their data is protected and utilized within the services that your organization provides them (e.g., clear communication on data usage, streamlined access to their collected data). Additionally, it depicts clearly the stages of enforcement by local Data Protection Authorities (DPAs) along with the potential costs to your organization for non-compliance (i.e., a fine up to 20 million euros or up to 4 percent of global annual turnover).
- GDPR Document Library: Along with its other pages, the site features a library with several white papers classified by category (i.e., Communication, Citizens, Businesses). These resources provide key considerations on how an organization may be impacted when interfacing with DPAs (e.g., new GDPR guidance issuance), and customers (e.g., personal data rights). While this high-level guidance can help companies establish a compliance framework, each individual business must define for itself the areas of the business requiring deeper concentration, determine how GDPR requirements will be embedded within existing processes and demonstrate the value of these changes to its clients or customers.
It is unclear how dynamic the EU Commission’s site will be, but for now it is a good reference source for companies that are working towards compliance. Additional sources that can leveraged for regular updates and insights include the following:
- The Article 29 Working Party is an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. The group’s new and archived guidance and commentary can be found here.
- The International Association of Privacy Professionals (IAPP) is a resource for professionals who want to develop and advance their careers by helping their organizations successfully manage data privacy risks and protect their data. Membership benefits include access to training, conference, and a variety of other tools to stay current on security trends. Their Daily Dashboard, available to members, in an excellent curated collection of relevant information.
- Finally, Protiviti offers GDPR resources on our website, which include white papers, webinars and a soon-to-come GDPR FAQ guide.
We recommend bookmarking all of these resources and referring to them often as you develop your GDPR compliance program. For help with specific areas, such as assessments, implementation, training and more, you can reach us here or on our website.
Leo Berrun of Protiviti’s Security and Privacy practice contributed to this content.