Author: J Trevor Hughes, President and CEO, IAPP
The European Union’s General Data Protection Regulation (GDPR), set to take effect on May 25, 2018, looks to be one of the most significant pieces of legislation to pass in more than a decade. Many are likening it to Sarbanes-Oxley in the US – a law with broad reach for many organisations, whether based in the US or not.
Due to its far-reaching scope, the GDPR stands to affect any business marketing to the EU or collecting personal information from individuals in the EU.
Even if the business is collecting relatively innocuous data, such as email addresses, phone numbers and IP addresses, there is a new standard of care that must be adhered to. Data must not only be secure, but organisations collecting, using or processing data must ensure they have the proper legal basis for handling it.
At more than 100 pages long, it’s a complex and wide-ranging piece of legislation. Failure to comply could cost businesses either €20m or four percent of global turnover, depending on which is greater.
Preparing for change
The International Association of Privacy Professionals (IAPP) is supporting organisations as they adjust to their new compliance responsibilities. IAPP’s Annual Privacy Governance Report tracks the privacy and data protection practices of organisations around the world. Nearly 600 companies and public bodies took part in the extensive survey, answering questions on their plans to respond to the GDPR.
The most mature privacy operations see the GDPR as an opportunity to get ahead of the pack
The report found that 63 percent of respondents are investing in training as part of GDPR preparation. Meanwhile, 55 percent are investing in privacy operations technology, 52 percent are creating new accountability frameworks to show regulators they are complying with the law, and 48 percent will be appointing a data protection officer.
The IAPP estimates that 75,000 data protection officers will need to be appointed and trained in line with the new regulation. The report shows that organisations are hiring an average of 2.2 employees in full-time roles and 1.7 employees with privacy responsibilities as part of GDPR preparation. Organisations are spending just over $5m (€4.3m) adapting processes, hiring external training solutions and purchasing software.
In fact, training is legally required by the GDPR. Organisations are tasked with providing both training and resources to their data protection officers to ensure they’re an expert in data protection and familiar with the workings of the business. The data protection officer is also required to secure training in data protection awareness for the organisation.
All of these measures are simply good business practice. IAPP’s report found that, while compliance and mitigating the likelihood of a data breach are first priorities, 69 percent of organisations cite a desire to meet the expectations of clients as the reason they have a privacy team in place. Furthermore, 61 percent cite a desire to earn the public’s trust, and 56 percent say privacy is vital to the brand’s image.
The most mature privacy operations see the GDPR as an opportunity to get ahead of the pack. Those who wait too long to respond to the GDPR may struggle to catch up.