Do you have customers in the EU or are you currently looking at expanding to the EU? If so, you may need to prepare for GDPR compliance.
Customer data is becoming an ever-increasing commodity in our everyday business. Customers are at the centre of everything we do and their data is being captured, analysed and utilised in some way, shape or form. Regulations are quickly catching up in this space and on 25 May 2018 we will see the European General Data Protection Regulation (GDPR) come into force. The GDPR will apply in the EU, as well as internationally, if a company is located within the EU; offers goods or services to data subjects located within the EU; or otherwise monitors the behaviour of individuals located within the EU.
As well as significant reputational damage for getting this wrong, penalties for breach include fines of up to 4% of annual company group wide worldwide turnover or EUR20million – whichever is higher. So this needs to be taken seriously!
Though costs are small relative to the global turnover of multinational companies, technology groups suggested GDPR could be one of the most expensive pieces of regulations in the sector’s history.
There is a lot of useful information being provided on GDPR from law firms, accounting and consulting firms and alternative legal service providers.
In this blog, we take a whistle-stop tour of what it means and how it might apply to you if you are based outside of the EU.
What are some of the key questions companies should be asking?
- My business is based outside of the EU. Does this apply to me?
- What are the new GDPR obligations? How will they affect my business?
- What steps should we take to prepare for the changes required?
Here are some basic principles of GDPR:
- The GDPR was adopted on 27 April 2016 in the form of a European Regulation and takes effect on 25 May 2018 replacing the existing data protection framework dating back to 1995
- One of the key aims of GDPR is to increase the rights of individuals
- As well as applying to companies within the EU processing data relating to individuals, it also applies to companies outside of the EU. More specifically, it applies to Data Controllers and Data Processors outside the EU whose processing activities relates to the offering of goods or services to, or monitoring the behavior of, Data Subjects within the EU
- Companies outside of the EU may need to appoint a representative in the EU or otherwise have Data Protection Officers (DPO) as part of their accountability programme. DPO’s will have obligations to adhere to
- The GDPR places onerous accountability obligations on Data Controllers to demonstrate compliance
- A Data Subject’s consent must be freely given, specific, informed and unambiguous. Equally, it must be just as easy to withdraw. A Data Controller must also be able to demonstrate that consent was given. Existing consents may still work but only if they meet new conditions.
- Data Controllers must provide transparent information to data subjects about how data is used, their rights and other key information such as the lawful justification for how their data is being used. This must be done at the time the personal data is obtained.
- In the case of a data breach, notification to the data protection regulators needs to be provided within 72 hours of becoming aware of the breach. Mandatory breach reporting to customers where there is a high risk to them also is being put in place.
What do I need to do to ensure compliance?
- It’s not too late but you need to start now!
- Compliance with GDPR regulations may require significant changes to processes, technology and operational structures ahead of the 2018 compliance deadline.
- Speak to your existing advisors – law firms, accounting firms, management consulting firms.
- For a value driven solution – work with KorumLegal to help plan your approach, undertake a GAP analysis, do legal and compliance audits working alongside your business – and allowing you to get on with your important business priorities.
- Where to start?(1) Understand what data you have, where it is from and where it is being used; (2) identify whether GDPR impacts your business; (3) if so, identify if you’re currently compliant (gap analysis); and (4) then identify changes needed to achieve compliance (implementation & remediation).
How can KorumLegal help?
KorumLegal can provide Legal Consultants to assist with the following:
- Conduct a GAP analysis of existing systems, processes, data flows, suppliers, customers and contracts
- Identify remediation steps needed to ensure compliance
- Provide tools, policies, and playbooks to achieve GDPR compliance
- Provide training and awareness on data privacy to meet core GDPR requirements
- Provide flexible legal support for in-house or remote project support
- Utilise our community of experienced legal consultants, legal project managers, technology partners and networks to provide an integrated solution
- We will combine our People, Process and Technology solutions to support you and your organisation.
Available tools from Kormoon include:
- Accountability and data mapping – automated workflow tool to identify permissibility of data usage achieving risk assessment and data mapping within one solutions;
- PIA – automated privacy impact assessment solution.
For more information on GDPR readiness, see resources below:
Titus is founder of KorumLegal. He has a keen interest in technology and innovation. Paul is founder of Kormoon.ai. He is an experienced commercial, digital and data privacy lawyer.