At PM we’re well aware of the damage that cyber attacks can do to our clients. More and more clients want our support to organize crisis management and communications exercises based on cyber crime scenario’s. That’s why we attended an event on the upcoming European GDPR (General Data Protection Regulation), organized by Dull Consulting and CCV Lab.
GDPR aims to harmonize data privacy laws across Europe and to protect and empower all EU citizens personal data privacy. Like always, new regulations entail new risks for organizations. Starting 25 May 2018 organizations in non-compliance will face heavy fines, so now’s the time to prepare!
You can read more about GDPR here.
Here are some of our personal takeaways from the event:
- GDPR concerns personal data, which is basically every piece of data that can be used to identify individuals, such as email addresses, phone numbers, IP addresses, etc. It’s important to note that not only B2C companies are subjected to GDPR, as each and every company has personal data. Think about HR data of your team.
- Organizations shouldn’t see GDPR as something that’s solely negative. It’s also an opportunity to finally get an overview of all your data and how that data is collected, processed, used and stored.
- Providing information is key! In the age of GDPR, organizations will have to proactively inform those involved about what they’re going to do with the data they collect. Even more so than now. So whatever you are doing with your data (or might start doing in the future!), people should know everything about it without having to ask for it.
- The rights of those involved (the data subjects) will be defended more. Answering questions about your data policy is going to be mandatory. People’s data should only be kept for a time span that’s ’limited’ and ’reasonable’. If you have back-up data from people that has ’expired’, you will be required to respect people’s ’right to be forgotten’. The list of requirements is long, so yes, it’s a good idea to start talking about this with your IT people!
- Certain private sector organizations will have to appoint a DPO (Data Protection Officer), irrespective of their size. This DPO’s responsibility is to make sure that the organization is compliant with GDPR.
- After a data breach (no matter what size), notice to both the supervisory authority and affected data subjects must be provided without undue delay and, where feasible, not later than 72 hours after having become aware of it. Don’t sleep on it.
At this point you may be asking ”that’s cute, but what are they going to do to enforce all that?” Well for one thing, there will be crawlers. These crawlers will search the web for infringements. Additionally there will be random controls, mainly focused on the health sector. And last but not least, everyone will have the right to file a complaint against your organization, after which your organization will undoubtedly be subjected to a thorough review by the authorities.
The fines can range up to 20.000.000 euro. Don’t take the risk and start preparing for GDPR today.
Keep in mind that this blog post is not valid legal advice. Please consult a legal agency to make sure your organization is completely ready for GDPR. Rather see this post as an eye opener as to what GDPR is going to change within your organization.