The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. The GDPR is a total overhaul of EU data protection law and will be implemented by the UK despite the Brexit vote. With fines of up to 4% of annual global turnover or EUR20 million (whichever is higher) for non-compliance, coupled with the negative PR associated with mistreatment of client/customer data, the GDPR and data protection are now boardroom issues.
The GDPR is extremely broad in scope – it applies to any organisation offering goods or services to data subjects in the EU or monitoring their behaviour (to the extent that it takes place within the EU). Companies with only minimal data on EU subjects still have to comply with the GDPR in the same way as those that hold and manage data on thousands of individuals, creating a potentially onerous compliance burden for all organisations caught by the GDPR.
Organisations have until 25 May 2018 not only to comply with the GDPR, but also to be able to demonstrate compliance to the regulator i.e. prove you have verifiable systems and processes in place to manage data.
At a minimum, organisations caught by the GDPR need to:
For organisations with a lot of data and little idea how it is used across the business, this is a substantial task.