GDPR training – there’s still time (just)
May 25th, 2018 is going to be an interesting day. It’s when the EU’s General Data Protection Regulation (GDPR) comes into force, and it affects anyone, globally, who deals with the personal data of EU citizens. That might come as a shock to organizations outside the EU who thought it didn’t affect them. The new rules were announced two years ago so there has been plenty of time to prepare, but human nature and the not-particularly-interesting subject matter have made sure that there is now a rush to get compliance before the May deadline.
Those who get caught with their pants down after that date could face fines of up to 4% of their annual global turnover. That doesn’t include potential brand damage and adverse PR. Businesses must plug the holes in their data dams to ensure against breaches or face a big euro-slap that will hit them where it hurts.
The biggest shift introduced by the new regulations is the notion of explicit consent to the use of personal data given by the data subject (an EU citizen). The burden of proof has been reversed. That means no more pre-ticked checkboxes or obligatory email fields – the user must positively check an unchecked box or give some other definite and verifiable agreement to the use of their data. And you can only hang on to that data for as long as you have a legitimate business interest in it. After that it must be disposed of. Individuals can request the complete removal of their personal data from a company’s systems, and the company must comply. If a company is unable to demonstrate lawful basis for keeping and /or processing an individual’s data, or if they fail to notify a data breach, they’ll get spanked.
Another central concept of the GDP is data portability. An EU subject can ask for their data to be transferred from one organization to another, with the deletion of the original data. The idea is that the individual owns their personal data, not the organization.
Those are just two of the more salient points of the GDPR. There are others that are more subtle and open to interpretation. It is therefore recommended that given a choice between two possible interpretations of the GDPR in a given case, the more stringent of the two should always be chosen and rigorously applied.
GDPR training helps companies to mitigate potential fines by showing evidence of proper documentation and procedures. Larger orgs who process large amounts of personal data should appoint a Data Protection Office (DPO) to oversee and police the processing of personal data. They should become expert in data privacy law and advise others in the organisation right up to CEO level.
There are many training courses out there. Here are two solid offers for U.S. and UK organizations:
U.S. GDPR Training: https://www.itgovernanceusa.com/gdpr-training-courses
We linked to another training course in a December 2017 article about the GDPR.