Think You Have Plenty of Time to Plan for GDPR? Think Again
We all do it. We look at a deadline that’s months away and we tell ourselves we’ve got lots of time to think about it. In fact, that’s probably what you thought when you first heard about the European Union (EU) General Data Protection Regulation (GDPR), which takes effect May 25, 2018. Even now, it’s still months away — right?
So we procrastinate. Not because we’re lazy, but because we’ve got lots of other things to think about.
But while you’ve been confidently putting it off for that day when you imagined you’d have an hour or two of free time, here’s what you may wish you knew sooner.
Data Protection Is About to Get Personal
It’s likely that GDPR will fundamentally change the way organizations manage personal data — and its related security, privacy and breach notification practices. And that goes for organizations located outside the EU as well.
- The penalties for noncompliance are steep.
- There are tools available now to help you figure what you need to do to meet the regulation’s requirements and get you started on a road map to help you move forward.
- There’s still time to take control of your situation — if you act now.
A Few Facts to Get You Up to Speed
GDPR applies to any organization — anywhere — that’s doing business with any of the 700 million individuals in the EU, regardless of its citizenship or where its data may be. In fact, it could be just visiting an EU country. What’s more, many of the regulation’s requirements may be extended to apply to individuals in neighboring countries of the European Economic Area (EEA) — including Switzerland, Norway, Iceland and Liechtenstein — where it’s likely they’ll adopt many of the same rules included in GDPR.
We know: You’re still thinking — hoping — you don’t need to be too concerned about GDPR right now. But before you make that decision, you might want to consider how GDPR will likely impact the following businesses:
- Financial services companies will no longer be allowed to use automated credit report profiling systems to determine whether to accept or deny credit card applications without obtaining explicit consent (GDPR, Article 22, p. 147). Going forward, they may need to insert some sort of “middle man” into a process that had been fully automated.
- E-commerce companies will have to follow strict opt-in and opt-out requirements (GDPR, Article 7, p. 123; Article 9, p. 125). And those opt-in rules will need to be explicit, while opting out must be made very simple.
What’s that? You don’t work in finance or e-commerce? Because we don’t want you to feel left out, here are some additional GDPR facts you might find interesting.
- Any business collecting personal data (defined as names, email contacts, photos, IP addresses, credit card information and medical information, for example) on EU residents must inform those individuals of the purposes for which the data will be used and why it’s being collected — outside of any lawful and legitimate data processing conditions. Businesses are required to obtain and maintain explicit consent from every individual, especially for any automated profiling or data transfers. They also need to be able to retrieve the data from their systems within one month in order to meet data subject access requests.
- Do you have employees working in Europe? Business partners or business contacts in Europe? As long as they’re living and breathing individuals on EU soil, these individuals are in scope. Surprised? Many folks are when they find out it’s not just about consumers.
- Businesses will no longer be allowed to keep individual data for as long as they want. Instead, they’ll need to periodically review their data governance practices and delete or destroy any data that’s no longer necessary.
What If You Don’t Do Anything Now?
Here comes the scary part about procrastinating: GDPR mandates that organizations implement solutions and practices that ensure compliance with its rules. And if they don’t? Passive or willful noncompliance can carry penalties as high as 4 percent or up to 20 million euros of annual global revenues, whichever is highest. That could pose serious problems, especially because it was reported earlier this year that three-quarters of non-IT leaders at U.S. firms believe GDPR doesn’t apply to them.
What’s Everyone Else Doing?
As you might expect, we’ve found organizations based in Europe to be more actively involved in preparing their systems. Financial services firms — both within Europe and in the US — often appear to be ahead of other businesses in their preparations. But the one question we’re hearing over and over again is, “What should we be doing?” So don’t beat yourself up about not knowing the answer to that one.
Do It Now
So, if procrastination isn’t the best approach to preparedness, what is? As you may have figured out by now, we believe the wait-and-see strategy, also known as the “procrastinator’s special,” is a recipe for disaster. Sure, we know you’ve got plenty of other important things on your plate, but do you really want to take your organization down that road? We didn’t think so.
We think there’s a better approach. Set aside some time with some of the other people in your organization who need to be involved, and familiarize yourselves with GDPR and its requirements. Explore the resources we’ve suggested here to read more about what you need to do and when you need to do it.
And stay tuned. We’ll be adding more insights and ideas for you to ponder in the months to come, because no matter what you tell yourself, May 25, 2018 isn’t really that far off.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.