Four Essential GDPR Requirements To Consider
A survey carried out by the ISACA found that a mere 29% of companies worldwide will be prepared for the compliance deadline of the GDPR, which will be implemented on May 25th 2018. The new regulation outlines requirements for businesses in order to protect the personal information of EU-residing clients.
Significantly, the regulation also applies to companies that are not operating in the European Union, but still possess the personal information of individuals living in the EU. It is stated that the penalty for violating the terms outlined in the regulation is the greater value between either “€20 million or 4% of annual global turnover”.
Not only are businesses unprepared for the fast-approaching deadline, but Reuters finds that many regulators still lack the funds to enforce the new rules. It was found that 17 of the 24 interviewed regulating bodies were still unprepared to reinforce the laws. However, companies should not use this as a reason to delay their preparations to comply with the GDPR. Therefore, it is important for Canadian companies to become informed of four main requirements presented by the regulation act.
Firstly, Privacy By Design must be considered in the usage of client personal information. Specifically, the GDPR states that only personal data essential to the functioning of the company should be kept, and that this information must only be accessible to those who need to process it. The concept itself is not new, being based on fundamental principles which were outlined over 10 years ago by Ontario Information and Privacy Commissioner Dr. Ann Cavoukian. These include ideas such as “Privacy as the default setting” and “Privacy embedded into design”.
Second, the GDPR outlines cases wherein personal data must be deleted from company databases – a concept known as the Right to be Forgotten. It is stated that when data is both no longer required for its original use, and the client no longer consents to its use, then the data must be erased. While the importance of the “Right to be Forgotten” is stressed by the GDPR, however, they also recognize the need to balance this with other interests, such as access to public information.
Third, data must be erased when Consent is no longer given by the client to store and use their information. Furthermore, the GDPR states the need for companies to ensure informed consent by providing clear and accessible consent forms to clients. Significantly, they prohibit further use of legal terminology that is not understandable by the general public.
Finally, the GDPR states that companies must now always Notify Clients of Data Breaches. It is specifically stated that after a breach is identified, affected clients must be notified immediately, and regulators notified within a 72 hour period.
In sum, if the GDPR is implemented successfully, Forrester reports that it will be advantages to both businesses and clients. While clients will be ensured of the safe and responsible use of their personal information, corporations will enjoy increased customer satisfaction by adapting to rapidly changing corporate expectations. Therefore, it is important for Canadian businesses to ensure their compliance to the GDPR before May 25th 2018.
For more information on how to prepare for the upcoming GDPR deadline, Call GigE at +1 (888) 366-4443.