The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities.
The GDPR has a wide scope. Under Article 3, the Regulation “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” The GDPR requires organizations to provide quite a number of rights to EU citizens, including transparency, purpose specification, data minimization, the right to erasure (a.k.a., the “right to be forgotten”), and the right to data portability, among other things. There is a requirement for data protection by design that requires those designing products and services to build in privacy and security protections in the early stages of development. There is also a breach notification requirement. With a length of about 250 pages, it is the strictest privacy law in the world and will require extensive time and resources to prepare for.
Despite the severe consequences of failing to comply, many companies seem to be lagging in preparedness. A survey conducted at this year’s RSA conference concluded that over half of the security professionals surveyed were either not currently preparing or not aware of what they needed to do to prepare. According to a different survey of 900 professionals across eight different countries, nearly half of the respondents were concerned their organizations would not be in compliance with GDPR by next year. 86% of these organizations thought the consequences of failing to comply would have a significant adverse effect on their businesses from harming reputation to incurring high penalties. GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases.
Preparing for the GDPR can seem overwhelming, but the key is good privacy and security fundamentals. It starts with having a healthy data protection program. Getting ready for GDPR can’t be accomplished in a few weeks, so now is the time to start. At far too many organizations, the C-Suite doesn’t even know what GDPR is and hasn’t allocated sufficient resources to be ready. There will be a lot of last minute scrambling around the turn of the next year.
For more specifics on the GDPR directive for training, please see my “Guide to GDPR Training” which outlines appropriate content and methods to ensure compliance with GDPR’s training requirements.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter (2x per month).
TWITTER: Follow Professor Solove on Twitter.
