Lack of Data Protection Capabilities Could Cost You As The EU Toughens Up
It has been more than a year since the EU introduced its GDPR regulations, and yet many firms across Asia are still not compliant. These firms risk massive fines and damage to their business reputation. Already, companies have been fined millions – from the first documented fine of €400,000 landed on a hospital in Portugal, to the biggest fine to date: a €50 million penalty handed out to Google for using personal data inappropriately.
With the EU warning that hefty GDPR fines are imminent and that they will tighten up on regulation, what should your organisation be doing to avoid what could be catastrophic consequences of non-compliance?
What Is GDPR
GDPR is the EU’s data protection regulations. These require all businesses to protect the personal data and privacy of EU citizens. The regulations came into force in May 2018, and require organisations to impose certain measures which include.
- Keeping internal records of data protection activities
- Notifying regulators of data breaches within 72 hours, documenting facts, effects and actions taken to remedy
- Appointing a Data Protection Officer (DPO) in certain circumstances
What Are The Fines and Sanctions That Could Be Imposed?
If an organisation is found to be non-compliant, the regulators could:
- Issue a warning
- Impose a temporary or definitive ban of processing personal data
- Impose a fine of up to €20 million or 4% of global turnover
- Do all the above
Is Your Organisation At Risk
Prior to its introduction in 2018, the Ernst & Young 2018 Global Forensic Data Analytics Survey found that only 12% of organisations in the Asia-Pacific region were prepared for GDPR. There has been little progress since:
- A survey by IT Governance in December 2018 found that 71% of organisations still were not compliant with GDPR
- In a March 2019 nCipher study, it was found that less than half of IT executives had strategies for organisation-wide encryption – a lynchpin in the cybersecurity measure under GDPR
What Should Organisations Do To Become GDPR Compliant
With the EU regulators set to take an increasingly tough stance on GDPR compliance, organisations across Asia are being advised to ensure they are compliant. Here are the key steps that organisations should take:
Evaluate Existing GDPR Strategy
It has been found that many plans set up before the regulations came into force do not ensure compliance. Planning was rushed, and holes were left in executed GDPR plans.
It is important that organisations understand what data they maintain and if it falls under the scope of GDPR. A data audit should help organisations to understand their data, where it is from, and how it must be treated.
Ensure Clear GDPR Policies Are In Place
Organisations should maintain clear policies to prevent security breaches. One such policy is to prohibit employees from storing data on their personal devices, or sending data to personal accounts. Others include regular password changes, accessible privacy policies, and ensuring that explicit consent for data usage is received.
Train Staff In GDPR
Organisations should train employees in GDPR. Often, there is value in providing this training at regular intervals, to reinforce previous learning and update on new policies. GDPR training should be included in the induction training of new hires. Training should cover GDPR policies, data handling and management, and provide an understanding of data that the organisation holds and how it is used.
Focus On IT and Data Protection
Organisations should ensure that their IT systems are fit for purpose and up to date. Data security should be at the forefront of IT, data and business strategy. Further organisations should ensure that they have a Data Protection Officer to keep systems and policies under constant review to future-proof against GDPR and other data protection regulations.
Good technical employees will be able to deliver systems that monitor data sharing, ensure systems are kept up to date, and provide the solutions a business needs in order to remain in compliance with GDPR always – and avoid fines that could cripple an organisation.
Do You Need A Data Protection Officer?
In some respects, the GDPR is vaguely written. However, it is very clear about whether an organisation should have a Data Protection Officer (DPO). You are in breach of the GDPR if your organisation does not currently have a DPO and has any of the following characteristics:
- More than 250 employees
- Processes data on a large-scale basis
- Processing is carried out by a public authority
- Processes sensitive data
- Monitors and tracks systematically
- Processes unique categories that could be related to criminal violations
- Processes and systematically monitors data, internet traffic, or IP addresses
- To discuss your staffing needs and ensure you remain GDPR compliant, contact Prime Insight today.