ONE YEAR AFTER GDPR - OVERVIEW AND PROGNOSIS
More than a year has passed since the arrival of the new data protection law in Europe. The General Data Protection Regulation (GDPR) came into effect in June of 2018, replacing the previous European data protection directive (Directive 95/46/EC). It is neither the first data privacy law, nor will it be the last. Due to sizeable territorial scope, GDPR has touched businesses and individuals residing in Europe at a much broader level than ever before enabling them to execute their rights related to personal data security and privacy. In the race to become compliant companies have faced many fears and much uncertainty.
Some trained their employees and adjusted business processes way before June 2018 for a smooth transition, while others hectically tried to buy “compliance in a box” after the regulation was adopted. There is also a group who chose to wait and see if the regulation would indeed be enforced and ambiguities clarified before starting their path in becoming GDPR compliant based on learning experiences of others. Retrospectively we can now take a back seat and see what has been achieved during the year and where are we heading now.
WAS THE REGULATION ENFORCED?
Yes, GDPR was enforced, and unlike some legal acts which threaten with high fines and harsh enforcement but never are applicable in reality, GDPR has a defined mechanism of enforcement which
is based on the cooperation of data protection regulators. This means that companies cannot not
shop among jurisdictions searching for less severe local legislation to avoid implementation of data
subject rights or data privacy principles. Statistics collected from the EU countries shows that during
the first year over 100,000 complaints of data subjects have reached the Data Protection Authorities
(DPAs), more than 35,000 data breach cases were reported and a number of fines have been imposed
for non-compliance. And this in the first year when DPAs are still adjusting their enforcement models.
All regulators responsible for the GDPR enforcement unanimously state that the main aim of their work is to educate, advise and support more than persecute and punish and yet we see that no mercy is being shown to those companies who lack respect to their customer and employee personal data.
WHAT CAN WE EXPECT NEXT?
At this moment more than two-thirds of existing countries have already adopted some kind of data privacy laws – heavy like Europe, Canada, Australia, Singapore, South Korea, robust like China or Argentina, moderate like Mexico, most Asian countries, Brazil. Others have adopted it very limited like Kazakhstan, Iran, and India, but yet they have taken steps towards more efficient and safe data privacy.
Quite some countries are considering to strengthen their data privacy laws the same way Japan did in 2017, meaning that they become more severe in accountability and broader in scope. Therefore, we may foresee that in upcoming years’ personal data privacy will become not only a legal enforcement but also a trend and a standard way of doing business. It is easy to predict that in the near future data privacy will continue being one of the most dynamic and rapidly developing areas. Those who have not yet started adjusting their company procedures and changing employee mindsets to more data privacy regulation and compliance awareness, will have no choice but to adapt rapidly or fall victim of their own negligence by experiencing severe data breaches and at the risk of losing clients trust as well as becoming a target of the DPAs.
WHAT TO DO IF YOU HAVE DONE NOTHING?
If your company was one of those taking a back seat waiting to see what would happen, it is understandable that you might now be thinking that it is too late anyway. The good news is that it is never too late, unless you have already experienced major data breaches and already lost your reputation and all clients. Otherwise you can still start taking steps in the long, challenging but never boring journey of becoming GDPR compliant.
Here are the first steps you must take:
- Schedule meetings with your system administrator, chief finance officer, general legal counsel, HR manager and risk manager. The purpose of those meetings is to get a data map or at least a list of all and any processes where your company or your business partners in any slightest way processes personal data of your customers and/or employees. Define why do you collect this data; do you really, inevitably need this data; where do you store the data and how long do you intend to retain this data.
- Prepare GAP analysis to assess where your company stands at the moment in respect of data privacy and what needs to be adjusted to become compliant.;
- Prepare a roadmap with clear deadlines and bullet points on what must be done.
- Start implementing your roadmap dedicating tasks to your internal resources or external advisors. Pay attention to your employee awareness on the topic as you may have the whole set of policies, procedures and the most modern software, but human is always the weakest link in this chain.
External advisors such as Amicorp provide tailor-made employee awareness training modules.
ONCE DATA PRIVACY IS IMPLEMENTED, WHAT IS NEXT?
So you have been diligent and your company is now close to being GDPR compliant, so what comes next? Can you sit back and relax, waiting for the DPA to come and admire your diligence? The answer is of course negative. One, there is no absolute compliance in data privacy, companies are dynamic and the processes of data collection and processing keep changing; therefore, companies must continuously monitor and adjust accordingly. Secondly, processes like employee awareness, data map adjustments, data protection impact assessments for new or updated processes, an annual audit of all your policies and procedures are all continuous processes involving all community of the company.
CAN ASSIST YOU BECOMING GDPR COMPLIANT
Do you require support in your journey to GDPR compliance? Amicorp can assist you with all steps of the implementation; starting with assistance in data map preparation and gap analysis/assessment of data privacy level in your company, and continuing with the preparation of all company policies, procedures and employee awareness modules.
Amicorp has partnered with Waveland data safety, an online portal service provider, and can offer you access to the portal where all your data privacy documentation may be stored. Your data privacy guide book may be generated there and will therefore be accessible in any place of the world. This is very helpful to those with cross border establishments. Different from other providers, Amicorp offers its clients a tailor-made approach suitable for your business only. We dedicate time to get to know and understand your business philosophy and procedures before preparing the road map and assisting in creating documentation. We provide employee awareness material and courses adapted to your employees and your company needs. We strongly believe that data privacy is a mindset and culture of the company versus just paperwork required to comply with formal requirements of GDPR.
For further information, please contact:
Hanno de Vriend
Global Head -- Business Support Services
Tel: +34 932 082 581
Group Data Protection Officer
Tel: +370 5248 7534