BLOG
GDPR - DON'T PANIC!
Today, May 25, 2018, GDPR goes into effect. To borrow some deeply practical advice from Douglas Adams, The Hitchhiker's Guide to the Galaxy...DON'T PANIC!
May 25, 2018
Reading time: 5 min
|
Inclusive Design
VP of Business Development, High Monkey
Today, May 25, 2018, GDPR goes into effect. To borrow some deeply practical advice from Douglas Adams, ‘The Hitchhiker’s Guide to the Galaxy’...DON’T PANIC! Despite the alarmist emails you may be receiving or dire warnings you hear from technology, legal, and other business types, the odds of GDPR causing you immediate difficulties are slim to none. But, and there is always a ‘but’, you really do need to have a basic awareness of GDPR and whether it might affect your organization.
Right to Be Informed - If an organization has a data breach, GDPR has specific rules and timelines that require notifications to supervisory authorities as well as the individuals who’ personal data may have been compromised.
Right of Access - When a customer requests a copy of their information, it must be sent for free within a month of the request, typically in an electornic format.
Right to Rectification - Organizations must amend incorrect or incomplete information (in a timely manner) when asked to do so by a customer.
Right to be Forgotten (aka 'Right to Erasure') - An EU citizen can request that any personal data related to them be erased by an organization from all systems.
Data protection by design and default is another component of GDPR. This means an organizations privacy settings must be set at a high level by default and that both technical and process measures must be in place to ensure that personal data is not processed unless it is necessary for a specific purpose. Again, for the record, DON’T PANIC!
55% of respondents will be investing in technology and tools to help with GDPR compliance
83% expect GDPR spending to be in the six-figures
25% of large companies expect to spend over $1M to address GDPR
The security and privacy professional participating in the research worked for organizations with a minimum of 500 employees with 92% of the organizations headquartered in the US or Canada, 5% headquartered in an EU country, and 3% in Asia Pacific, Central America, or South America. If you are a company based in the United States, you need to be thinking about GDPR if you have EU citizens or residents sharing some of their personal data with you via a website form or a phone call. This sharing of data might be in the form of a request for product information, an online college application, an online warranty registration, or any number of other types of contacts. One more time, DON’T PANIC!
Take a look at a guide: There are several books available, some guides are published by product vendors like Microsoft, SAP, and IBM (to name a few) – other guides are published by law firms or consultants. Do a search and read a few of them to get familiar with GDPR. Our favorite CMS from Kentico has a great white paper titled ‘CDPR Compliance and Your CMS’ available online.
Keep an eye on the news: The process around how GDPR will be investigated and enforced has a lot of unknowns. There will likely be a few large profile cases that happen in the next several years . . . think in terms of organizations with a business model that is all around collecting personal data. How those first few enforcement cases roll out will set a tone.
Start gradual change now: Make a good faith effort toward GDPR compliance and document it. This step can make a big difference in how penalties are assessed and whether your organization is given a ‘grace window’ to achieve compliance.
Create a good infrastructure: Look at tools that are GDPR compliant or that have tools that help you achieve compliance. We are a Kentico CMS Gold Partner and we recommend the Kentico platform for websites (in part) because they are leaders in building processes and best practices into their Content Management System product. Kentico has some great information about GDPR and data protection available on their website
Figure out where you stand: IF your organization possesses personal data that has been provided by at least one EU citizen or resident, you should take some extra steps...
1. Start looking at how you solicit consent and the phrasing you use
2. Understand all the locations that personal data is stored (websites, databases, file shares, portals, spreadsheets, documents, directories, etc.)
3. Review your organization’s policies and practices for data retention and data security
4. Begin creating a process to handle requests from EU citizens and residents who ask to be provided with a copy of their personal data your organization may possess, or who invoke their ‘right to be forgotten’
Note: This blog post does not constitute legal advice or guidance
What GDPR Is
GDPR is the General Data Protection Regulation is an European Union law on data protection and privacy for all individuals within the EU. Not located in an EU county? GDPR also addresses the export of personal data outside the EU (door slams shut). GDPR also aims to give EU citizens and residents control over their personal data (another door slams shut). One last thing...GDPR broadens the definition of ‘personal data’ to include locations, browsing history, and IP addresses. Adopted on April 14, 2016, GDPR had a 2-year transition period until it became enforceable – today! Penalties for non-compliance can be up to 4% of an organization’s global revenue or 20 million Euros, (about $24 million) whichever is higher. Let me repeat, DON’T PANIC!GDPR Highlights
Consent is a big part of GDPR. Consent must be explicit and clearly explain the purposes that data will be used for. Consent for children must be given by the child’s parent or custodian and needs to be verifiable. Recording of phone calls have very specific rules and restrictions under GDPR. GDPR provides a 'Bill of Rights' for personal information. There are eight 'rights' under GDPR, the most commonly referenced are the following four.Right to Be Informed - If an organization has a data breach, GDPR has specific rules and timelines that require notifications to supervisory authorities as well as the individuals who’ personal data may have been compromised.
Right of Access - When a customer requests a copy of their information, it must be sent for free within a month of the request, typically in an electornic format.
Right to Rectification - Organizations must amend incorrect or incomplete information (in a timely manner) when asked to do so by a customer.
Right to be Forgotten (aka 'Right to Erasure') - An EU citizen can request that any personal data related to them be erased by an organization from all systems.
Data protection by design and default is another component of GDPR. This means an organizations privacy settings must be set at a high level by default and that both technical and process measures must be in place to ensure that personal data is not processed unless it is necessary for a specific purpose. Again, for the record, DON’T PANIC!
GDPR Impact
Cost? Research conducted by Dimensional Research in May 2017 found the following:55% of respondents will be investing in technology and tools to help with GDPR compliance
83% expect GDPR spending to be in the six-figures
25% of large companies expect to spend over $1M to address GDPR
The security and privacy professional participating in the research worked for organizations with a minimum of 500 employees with 92% of the organizations headquartered in the US or Canada, 5% headquartered in an EU country, and 3% in Asia Pacific, Central America, or South America. If you are a company based in the United States, you need to be thinking about GDPR if you have EU citizens or residents sharing some of their personal data with you via a website form or a phone call. This sharing of data might be in the form of a request for product information, an online college application, an online warranty registration, or any number of other types of contacts. One more time, DON’T PANIC!
GDPR First Steps
There are some practical steps you can take to move thinking and action about GDPR forward in your organization. It would be too easy (and self-serving) to say hire High Monkey to help you with GDPR planning and compliance...so I won’t say that. Some first steps you can take are:Take a look at a guide: There are several books available, some guides are published by product vendors like Microsoft, SAP, and IBM (to name a few) – other guides are published by law firms or consultants. Do a search and read a few of them to get familiar with GDPR. Our favorite CMS from Kentico has a great white paper titled ‘CDPR Compliance and Your CMS’ available online.
Keep an eye on the news: The process around how GDPR will be investigated and enforced has a lot of unknowns. There will likely be a few large profile cases that happen in the next several years . . . think in terms of organizations with a business model that is all around collecting personal data. How those first few enforcement cases roll out will set a tone.
Start gradual change now: Make a good faith effort toward GDPR compliance and document it. This step can make a big difference in how penalties are assessed and whether your organization is given a ‘grace window’ to achieve compliance.
Create a good infrastructure: Look at tools that are GDPR compliant or that have tools that help you achieve compliance. We are a Kentico CMS Gold Partner and we recommend the Kentico platform for websites (in part) because they are leaders in building processes and best practices into their Content Management System product. Kentico has some great information about GDPR and data protection available on their website
Figure out where you stand: IF your organization possesses personal data that has been provided by at least one EU citizen or resident, you should take some extra steps...
1. Start looking at how you solicit consent and the phrasing you use
2. Understand all the locations that personal data is stored (websites, databases, file shares, portals, spreadsheets, documents, directories, etc.)
3. Review your organization’s policies and practices for data retention and data security
4. Begin creating a process to handle requests from EU citizens and residents who ask to be provided with a copy of their personal data your organization may possess, or who invoke their ‘right to be forgotten’
Note: This blog post does not constitute legal advice or guidance
Latest Blogs
| Digital Experience Strategy
Welcome to High Monkey's new website!
High Monkey has a brand-new website! See why we redesigned it, how we built it, and what’s new in our smarter, more intuitive digital home.
March 24, 2025
Reading time: 5 min
| Business Process & Collab.
Elevate your productivity with this OneNote Kanban Board strategy
Boost your efficiency with our OneNote Kanban Board strategy. Perfect for anyone looking to streamline their task management and enhance productivity with practical, easy-to-implement tips.
March 23, 2025
Reading time: 7 min
| DIgital Experience Strategy
Discussing Stupid gets a fresh new look for Episode 11
Discover how Discussing Stupid leveled up with a fresh new look in Episode 11—new colors, a refined intro, and a branding update to enhance the experience.
March 18, 2025
Reading time: 5 min
Your success story starts here
Contact us for a free consultation, and let’s work together to build a strategic plan that tackles your challenges and lifts your organization to a new level.