How the GDPR has changed our understanding of data protection
The new, already old, EU data protection legislation (GDPR), which entered into force on May 25, 2018, has significantly changed the way we look at and perceive data privacy. Whether as a natural person or as a company a vast majority of us have already had an experience with GDPR by having to sign a consent form for marketing purposes, opt-out of cookies, or having to organize or participate in the long and exciting journey of implementing a GDPR project within a company to ensure compliance with the regulation.
“If you think compliance is expensive, try non-compliance,” says former U.S. Deputy Attorney General Paul McNulty.
For companies which fall within the scope of GDPR applicability, being compliant is not an option, it is a must. Different supervisory authorities tackle the topic of posing fines and up to which amounts in various ways. The fines for non-compliance set out by the Eurpean Union through the GDPR are split into fines for less severe infringements (such as obligations of the controllers and processors) which could reach up to €10 million, or 2% of the company’s worldwide annual turnover and fines for more serious infringements (such as violations of the data subject rights, basic principles of processing, and international data transfers) for which the fines could reach up to €20 million, or 4% of the company’s worldwide annual turnover; in both cases the higher amount is taken.
The simple answer – follow the rules. In the course of implementing GDPR-projects back in 2018, many companies did not have a clear picture of what was required in order to be compliant. GDPR provides only indications on what needs to be in place but there are no specific detailed requirements or instructions, as the regulation is applicable across different countries and industries. To be able to put the pieces of the puzzle together and become fully compliant, a company needs to consult a much broader range of sources like guidance issued by relevant authorities, support from data privacy advocates, the laws of a country, established market practices and standards. At the end of the day, even the simple answer is not so simple after all.
So, the solution is: know your data subjects and the data you process. Why? One of the keys to tackling GDPR is having the data subjects always in focus. A significant difference to the preceeding legislation are the data subject rights, and this is where the highest fines are also concentrated. Many say the regulation is not about protecting the data but protecting the people whose data is being processed. Knowing your data subjects (and their data you process) and having their best interest in mind is one of the key elements of being successful in your privacy program. Learn to manage their expectations. Understand your company’s business strategy, as your data protection strategy is tightly linked to it, think process-wise, and do not forget the industry specifics and the legal framework. Management must be on board but get your IT staff and information security experts on-board as well. Learn to speak a language both sides understand because there is no data protection without proper information security in place.
Build your data protection management system around these core elements and do not underestimate the importance of employee awareness and the risks and threats of not doing it properly – you are only as strong as your weakest link. Performance checks at regular intervals are also a good idea to prevent stressful situations before a data deletion request or a even a surpise audit occurs. Continuous improvement is a necessity since data protection is not going anywhere; it is here to stay.
Check out the videos and articles on the topic of cyber security and cybercrime here.