GDPR Compliance is a lot like Sex Education…
We all remember those classes that explained so much biology and so little of what we really needed to know when faced with the real thing. We all just closed our eyes and hoped for the best… The GDPR is no different.
The GDPR has been in effect since May of 2018. The question many companies asked ahead of time is will the EU member states be aggressive in going after companies immediately or will they wait awhile?
Within just a few months, EU citizens began aiming at the big guys - Google, Facebook, and Oracle - as well as smaller companies, to make the point that they are not kidding around. Many companies have already been fined for non-compliance. Google was fined $57 million for lack of transparency, inadequate information, and lack of valid consent regarding personalization of ads. Google, Facebook, Instagram, and WhatsApp were hit with privacy complaints within hours of the GDPR taking effect -- complaints that could carry fines of up to $9.3 billion in total.
Analysts have told us that EU members would move gently in prosecuting non-big name companies to give companies time to put technology and processes in place. Yet, we have seen the opposite in practice. In one case, a Portuguese hospital was fined €400,000 when its own staff improperly accessed patient data highlighting the need for internal access/user controls. In another case, a small Austrian company was fined for a public camera feed that captured too large of a public forum suggesting a severe course change as to public surveillance rules may be in the offing. In fact, Analyst firms expected that only 50% of companies would be fully compliant by the end of 2019 while GDPR enforcement will only become more focused and intense.
On January 28, 2019, the European Commission celebrated Data Protection Day by reporting that it has received 95,100 complaints about data practices and 41,502 breach notifications since GDPR took effect last May. The complaints cover telemarketing, email, and video surveillance. Also, the EC is probing 255 cross-border violations. These facts are startling given the potential fine exposure, and yet so many organizations have yet to do anything about GDPR compliance. Reminds us of the maxim by Duke Professor Ariely on big data that fits the GDPR compliance reality:
“The GDPR is like teenage sex - they all talk about it, none of them really knows how to do it, they all assume everyone else is doing it, so they all claim to be doing it also.”
The fact is, there is hardly anyone doing it correctly which begs the question, Why? Companies subject to GDPR are either painfully unaware of current enforcement actions/fines or are choosing to ignore it. Again, Why?
- Organizations believe GDPR does not apply to them because they do not have facilities in the EU (this is plain wrong);
- Organizations assume it will be years before the EU members start to target non-multinationals (again, this is wrong - all it takes is for a single EU citizen to file an online complaint against your company to start the process.)
The days are long gone when companies can close their eyes and hope GDPR enforcement fades away – not to mention the risks for companies worldwide with the soon to be in effect California Consumer Privacy Act (CCPA.)
Beware the obvious signs of GDPR non-compliance
The most obvious red-flag for individuals looking for a quick payday from the GDPR requirements is to troll websites looking for Data Privacy Officer (DPO) contact information. If a company doesn’t even have that, they are a prime target to go after.
In reality, upon a simple complaint filing, EU member authorities will be knocking on your door wanting you to answer scores of questions about your data collection/retention practices on EU citizens. Again, eight months into the GDPR there have been over 95,100 complaints filed. Like Dirty Harry, arguably the leading philosopher of the 20th century, once asked; “Do you feel lucky…punk?”
GDPR Compliance Checklist
We are now almost a year into the GDPR experience. Companies that have not addressed it seriously yet are playing with fire. Take a quick self-audit to see where your risks lay:
- Have you designated a DPO – data privacy officer, and listed them with their contact information on your website?
- Have you included opt-in and opt-out descriptions on your personal information collection forms?
- Have you thought about data sovereignty requirements around data movement?
- Have you fully considered the right to be forgotten and how you would conduct secure deletions?
- Does your company’s information management system support GDPR compliance functionality (policies and procedures)?
Archive360 can show you how to do it – …come on now, get your mind out of the gutter. We mean how to address the GDPR and data collection/management. Archive360’s Azure-based information management and archiving solution permit small to enterprise level organizations to manage their data in a GDPR compliant fashion, so the knock on the door does not send shock waves through your organization.
Contact us to find out more about the Archive2Azure intelligent information management and archiving platform for the Azure Cloud.
For more information on the GDPR, take a look at these related blogs:
About Bill Tolson
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.