The long-anticipated May 25, 2018, date for European Union’s General Data Protection Regulation (GDPR) enforcement has come and gone, but many businesses admit they still aren’t in compliance with the law. An SAS survey found only 46 percent expected to be GDPR-compliant by the May deadline. GDPR, however, is in effect, it’s enforceable, and if businesses that collect data or monitor behavior of people in the EU need to accept the fact that it applies to them.
One of the first things about GDPR that will capture your attention is the magnitude of fines for noncompliance. Violators can face fines up to 4 percent of annual revenue or €20 million, whichever is greater. It’s easy to take the perspective that GDPR establishes punishments that a business has to avoid. But it’s better — and more productive — to view the law as a standard for data stewardship and guidelines for how to be more responsible with people’s data. The SAS survey revealed 84 percent of global companies agree GDPR will improve data governance.
GDPR gives people in the EU more control of their personal data, including names, addresses, photos, payment data, or social media posts. The European Commission also points out that it also provides benefits to businesses by leveling the playing field with one set of data use rules and by increasing consumer confidence. GDPR regulates any business collecting and monitoring data in the EU, regardless of where the business is located.
The law applies to both data controllers (e.g., e-commerce merchants doing business in the EU) and data processors (e.g., cloud providers that store data). GDPR also requires that some organizations appoint a data protection officer (DPO), depending on the nature of the business and the type and scale of data collection. Small and medium-sized businesses with fewer than 250 employees are only required to keep records if they regularly collect data or if the data they collect is sensitive or may impact a person’s rights or freedoms.
Data Management Best Practices
There’s no denying the GDPR regulation can be intimidating. But within the multi-chaptered, multi-articled, you will find a number of requirements that boil down to data management best practices. For example:
GDPR changes how data subjects in the EU give consent to collect or use their data. The consent form must be easy to understand, using straightforward language, and it must be distinct — it can’t be tied to another activity like making a purchase. Organizations must also provide a way for a person to withdraw consent just as easily as they can give it.
• Collect and Keep Data Only as Needed
GDPR requires that organizations only collect data that is required for their business purposes and to keep it only for the amount of time that it’s needed. Collecting everything possible and sorting out later is no longer acceptable. It’s also not permissible to store data indefinitely in large data warehouses or lakes, a practice that could magnify the impact if the organization is the victim of a cyberattack.
• Data Erasure
If you have a lingering question about the ownership of data, GDPR answers it: It belongs to the data subject. Organizations are required to be transparent about data collection and use, and, if data subjects request it, to provide it, modify it, or erase all data that pertains to a particular person. Establish efficient processes for locating all data by data subject so it can be accessed, corrected, or erased.
It’s Time to Comply
Don’t consider GDPR compliance just as a box to check, but as good business practices related to collecting and managing data. Take this opportunity to establish processes that automate and meet GDPR requirements with efficiency and accuracy. May 25 — when businesses were supposed to have their data management houses in order — has passed. Don’t delay.
- Tamara Worden serves as Senior Director of PCIDDS Compliance in North America for EVO Payments. She has more than 21 years of experience in the payments industry in a variety of management roles, including Project Management, Application Processing, Training, Quality Assurance, Retention, Terminal Leasing and Portfolio Management. Tamara is an ETA Certified Payment Professional.