If you do business in Europe, you WILL be impacted by the new General Data Protection Regulation (GDPR). Although it went into affect in April 2016, companies are required to show compliance with this regulation by May 25th, 2018.
GDPR is the most significant change to European privacy regulations in the last twenty years. It replaces the EU Data Privacy Directive introduced in 1995. Effective May 25, 2018, this regulation forces organizations to institute strict measures related to privacy notification, use, and consent, implement controls and processes for data management, and enhance security measures for data protection. Additionally, this is the first regulation to mandate the designation of a DPO Data Privacy Office responsible for ensuring compliance and registration with the EU Commission and other privacy entities.
This regulation crosses all industries. Any company that processes data associated with EU residents is required to be compliant. Types of data include but are not limited to basic identity information such as name, address and ID numbers; web data such as location, IP address, cookie data and RFID tags; health, genetic, and biometric data; racial or ethnic data, etc. Companies must comply by May 25, 2018 or run the risk of financial consequence which is either fines of $20 million or 4% of the company’s revenues whichever is higher.
This regulation requires that organizations institute privacy processes that manage notification and consent. They must develop and deploy privacy training and awareness materials, and modify current privacy language to align with GDPR requirements. Processes must be implemented to continuously monitor performance, identify risks, and highlight potential threats. System controls need to be established or enhanced. And organizations must revise Policies, SOPs, and Procedures to govern privacy activities.
Hawkins Point can efficiently and effectively perform a Readiness Assessment to determine your current position, and define and implement the plan to ensure compliance. Typical outcomes of a readiness approach will include:
• Training & Awareness: Develop and deploy privacy training and awareness materials.
• Privacy Language: Modify current privacy language to align with GDPR requirements.
• Processes: Implement processes for oversight to continuously monitor performance, identify risks, and highlight potential threats.
• Data Map: Create a data map as a baseline tool to identify the information impact, point of information entry, system, and geographic location of impacted data assets.
• Controls: Establish or enhance system controls.
• Information Security: Establish or enhance security measures.
• Policies, SOPs, Procedures: Revise, develop and deploy policies, standards and procedures to govern privacy activities.
• Data Privacy Office: DPO is resourced to support the development, implementation and maintenance of the global privacy program.
The timeline is short. Let’s get in touch!