This data protection regulation extends the scope of the law to all companies, even foreign companies, who are processing data of EU citizens and residents. The net effect will be to strengthen the rights of EU citizens and residents over their personal data and shift the responsibility of how data is collected, held and processed from the individual to the organisation.
The regulation has real teeth with severe penalties, in some instances up to 4% of worldwide turnover. The regulation came into effect on the 25th of May 2018, so the clock is ticking. You now have only a year to put systems in place to ensure your initial compliance with the regulation and your continued compliance into the future.
There are three principal areas you will need to address to become compliant with the legislation:
Governance: your data protection and privacy policies need to be set out in a formal document and available on your websites, at data collection points and communicated to all your employees.
Compliance: you need to take steps to ensure compliance in the areas of direct marketing, human resources, IT systems and security.
Once compliant, there are ongoing regulatory responsibilities to ensure that personal data that you store or process will be:
Accurate and kept up to date
Processed lawfully, fairly and transparently
Limited to the information that is necessary to the organisation
Collected for a specific purpose
Processed in a way that ensures security from breach, damage and loss
Stored only for as long as appropriate
Compliance is not a once-off, but an ongoing, exercise. Carve out the time now and do the groundwork needed to create and implement systems that will last your organisation into the future and secure its regulation compliance as it grows.
While some companies will be appointing a data protection officer to help with the process, others will use a consultant or an external service provider that will assist in managing the process to becoming compliant.