What is the GDPR? How could it affect your business?
The General Data Protection Regulation (GDPR) strengthens and unifies data protection of individuals located in the European Union. Any organization that stores, processes, or transfers the personal data of EU residents was expected to become compliant with these new regulations as of May 25, 2018, or they’d have to face the consequences.
- Those consequences are dire: fines can go above €20 million or 4% of an organization’s global revenue.
- For a regularly updated list of GDPR fines, check the GDPR Enforcement Tracker web page from global law firm CMS.
- This is a major reason why, according to the IAPP, more than 500,000 organizations were estimated to have registered Data Protection Officers by mid-2019.
- However, even a year after implementation, many U.S. citizens and businesses were unaware of the GDPR: Survey Monkey reported that in 2018, just 10% of Americans knew something about GDPR; by 2019 that had grown to 28%, though half of Americans have still never heard of GDPR, down from 78% the year before.
How can technology enable CCPA compliance?
The complexities of dealing with more and more new regulations like the GDPR and CCPA have made traditional processes and tools obsolete. To cost-effectively mitigate potential risk and exposure, companies are turning to state-of-the-art legal and GRC software solutions.
The Right To Access:
Individuals can request access to their personal data and to ask how it’s being used after it has been gathered. The company must provide a copy of the personal data, free of charge, and in electronic format if the consumer so asks.
The Right To Be Forgotten:
If consumers aren’t customers any longer, or if they withdraw their consent for a company to use their personal data, they have the right to have that data deleted.
The Right To Data Portability:
People can transfer their data from one service provider to another, which must be done using a common and machine-readable format.
The Right To Be Informed:
Individuals must be informed before any data about them is gathered by a company, and have to opt-in in order for their data to be collected; this consent must be freely given rather than implied.
The Right Information Correction:
People can have their data updated if it’s out of date, incorrect, or incomplete.
The Right To Restrict Processing:
People can request their data not be used for processing; the data can stay in place, but can’t be used.
The Right To Object:
People can stop the processing of their personal data for direct marketing, with no exemptions; any processing must cease as soon as the request is received. Plus, this right must be made clear to them at the start of any communications between them and the company.
The Right To Be Notified:
Should there be a data breach compromising a person’s personal data, s/he has a right to be informed within 72 hours of the company having first become aware of the breach.
How bad are employees at compliance?
One CEB study found that over 90% of employees violate policies expressly designed to prevent data breaches like those GDPR compliance should prevent.
- 45% of internal privacy failures were caused by intentional “but non-malicious” employee actions.
- Two-thirds of employees use personal technologies for work, like dropping sensitive files to their at-home computers, violating compliance rules.
- The average Fortune 1000 company now spends over more $400,000 a year notifying customers and employees of privacy failures – at least, those that get reported.
- Employees “rationalize noncompliance” and work around rules and processes they find too difficult to observe.