GDPR isn’t a country, but don’t mess with it
On May 25, 2018 a raft of European Union data norms will come into effect which constitute the General Data Protection Regulations (GDPR). Despite the acronym’s resemblance to that of a defunct nation, GDPR is Europe-wide, and indeed global when its ramifications are followed to their conclusions. And whereas in old East Germany people’s data belonged to the state and private business was frowned upon, now we have a world in which private business is getting its hands on more and more of people’s data and governments are stepping in to protect their citizens.
European businesses have just months to prepare for GDPR, after which they will be exposed to hefty fines and PR besmirchment for non-compliance. All companies that collect or process the personal data of EU residents must change the way they handle it, and that includes a citizen’s right to be digitally forgotten. Suddenly companies’ CRM and other internal systems have become potential time bombs. Soon they will have to be audited and purged.
It is essential to start planning for GDPR compliance as early as possible, and obtain buy-in from key people in the organisation. It will require substantial documentation to demonstrate transparency and protect individual’s rights. In large organisations this could have significant budgetary, personnel, IT, governance and communications implications. At the very least a Data Protection Officer should already have been designated to oversee the preparations for compliance.
Businesses need to look at the various types of data processing they carry out, and absolutely nail down the legal basis for carrying it out and documenting it. They need to be ready to handle requests within the new timescales, and do dummy runs to test the practicality and robustness of data deletion in IT terms. In the case of applications and online platforms, consent must be rigorously sought for use of personal data in the form of user opt-in. Ultimately, every EU citizen will need to approve every instance of their personal data being used by a company. Any and every data breach will have to be reported under stricter terms than are currently the case.
If your company is floundering on GDPR and May 2018 is starting to look like an oncoming express train, help is at hand in the form of a new series of training modules from Inspired eLearning.
Kyle Metcalf, CEO of Inspired eLearning, states, “The upcoming implementation of GDPR applies to all companies that collect or process the personal data of EU resident and pertains to both EU and non-EU companies. Our customers, and companies across the globe, have only months to prepare.
“We believe education is paramount to helping companies protect themselves from external threats such as cyber security as well as compliance matters on the local, national and global levels. The penalties for GDPR non-compliance includes fines upwards of 20,000,000 Euros, a risk of class action lawsuits from the data breach victims and long lasting damage to the company’s brand.”