With less than two months to go, many companies still aren’t ready to meet the the requirements of the EU’s General Data Protection Regulation (GDPR).
That’s according to Janco Associates’ Security Manual Template, which includes a GDPR compliance checklist. Any U.S. organization that handles data belonging to EU citizens will be required to be compliant when the regulation comes into force on May 25. Noncompliance can trigger penalties totaling 4 percent of revenue, or a maximum of $22 million.
“We have reviewed the compliance plans of over 200 SMB enterprises and have found that 34 percent of the companies are not ready to meet the EU’s GDPR requirement,” said Janco CEO Victor Janulaitis. “Most say the GDPR requirements are very complex, not enough resources have been allocated and that many of the skills required to implement GDPR are in short supply. In any case, most feel they will comply by the latter half of 2018, well after the compliance deadline.”
Digital marketing firm Vizergy said the GDPR defines a few roles that are responsible for ensuring compliance. Mainly, the data controller, data processor and the data protection officer (DPO) will be responsible for compliance across an organization, it said.
The data controller defines how personal data is processed and the purposes for which it is processed. The controller also is responsible for making sure that outside contractors are in compliance.
Companies must provide a “reasonable” level of protection for personal information about EU citizens in EU states. Examples of personal information are name, home address, photo, an email address, bank details, posts on social networking websites, medical information, cookie data, race or ethnicity, political opinions, biometric data, or a computer’s IP address for geotargeting.
Vizergy offers the following tips for GDPR compliance:
- Consent to use a person’s information must be clearly explained and there must be a positive opt-in.
- At the time of data collection, a privacy notice should be presented.
- Collected personal information must be relevant and limited to what is necessary.
- Do not keep personal information any longer than necessary.
- Have a data protection policy and data breach response plan in place that meets the requirements of the GDPR.
- Seek expert advice or legal counsel as needed.