May 25th, 2018 is the fixed deadline for your company to be compliant with the General Data Protection Regulation (GDPR). It is a European regulation, not a directive, so it immediately comes into effect in all countries, without local modification or further parlementary approval.
You can find the full text of the regulation here in English, and also in the 23 other official languages of the EU.
Of course there is also an app for this, courtesy of DLA Piper, and you can find the Android and iOS version here.
We are now halfway through the two-year transition period, which means your company should prepare for compliance now.
Although there are still 12 months left, companies should start asap as the implementation of GDPR could involve much more work than the Y2K compliance project.
Besides the damage to your brand reputation when customers see that you don't sufficiently protect their privacy and personal data,
companies also risk to be fined for being non-compliant, and this may scare business people more than anything else. For example, a company can be fined up to 2% of global revenue for not having their records in order (article 30), not notifying the supervising authority and data subject about a breach (articles 33, 34), or not conducting impact assessments (article 35). More serious infringements can be charged up to a 4% fine, such as violations of basic principles related to data security (article 5) and conditions for consumer consent (article 7), which are the basis for the Privacy by Design concepts of the GDPR.
But which steps do you need to take ?
You'll likely need a Data Protection Officer (DPO), and you can read the fine print in article 37.
He or she will advise on, oversee and monitor GDPR compliance, and represent the company when contacting the supervising Data Protection Authority (DPA). Even if you are not explicitly obliged to have a DPO, it is a good idea to have a Chief Privacy Officer (CPO), who will work closely with your Legal Department, your Chief Information Architect (CIA) and your Chief Information Security Officer (CISO). Of course, having an internal/external DPO does not exempt the company's board of directors from its responsibilities and eventual fines in the case of non-compliance.
Controllers need to notify the DPA (see above) of a personal data breach within 72 hours (at the latest) after detecting the exposure of personal data which results in risk to the consumer. This could be an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
The GDPR gives more rights to individuals, such as the right to view, rectify and erase personal data (the latter is often referred to as the "right to be forgotten"), as well as the right to data portability.
Even US, UK, Canadian, Japanese, ... companies that process personal information about EU data subjects (customers, personnel, ...), will have to comply with the GDPR because of the extraterritoriality principle. Unfortunately, not every e-commerce, social media player and multinational is aware of this.
All of these steps should be implemented, documented and monitored. This workshop is a unique cooperation of an information governance consultant and a legal GDPR expert who has shared a lot of information to tackle the GDPR:
This event is specifically aimed at end-users who want to reach compliance while implementing better information management. The latter includes good data classification, master data management, information governance, security, monitoring, reporting, ... and this may be a good time to start implementing or revisit the best practices, industry standards and information security guidelines that have been around for years. The combination of speakers who focus on the 2 sides of the coin (the legal side and the IT side of GDPR) makes this a highly unique event.
This workshop will be value-for-money for:
Data Protection Officers and responsibles for privacy and data protection
Information Security Officers and anyone who is responsible for security
Information and Data Management professionals
Business and Information analysts
IT managers, directors and CIO's
Information owners, managers and stewards
Information, Solution, Process, Integration and Enterprise Architects
Legal Staff and Compliance Officers in the public and private sector
Business managers, directors and key business users who work with personal data
Every stakeholder who works or is responsible for data, tooling, guidelines, security, processes, ...