GDPR: Missing the Deadline?
The EU General Data Protection Regulation will go into effect on May 25, 2018, and as of this very moment, that’s 25 days away. A few months ago, the compliance timeline allowed mid-sized companies to overhaul their entire data management systems searching for areas of potential compromise, it allowed time to address security gaps, and it even allowed time to carefully source, screen and hire a Data Protection Officer if the company’s circumstances required one under the new law.
But at this point, the window is narrowing. That’s fine for those who have been steadily checking off every item on the compliance to-do list, but for those who are just getting started—or just finding out that the law applies to them—this means the time has come to change course or implement Plan B.
And these organizations are by no means alone. According to a survey by Solix Technologies taken at the end of February, about 22% of companies that handle sensitive data still aren’t sure if the GDPR applies to them since they operate outside of the EU but serve European customers. And up to 65% of the companies surveyed are expected to wake up on May 25th with critical compliance issues still unaddressed. That’s no small number.
So if your business seems likely to fall short of the deadline, you have plenty of company. But that doesn’t mean you’re on the right track, and it certainly doesn’t mean that the related penalties (up to 4% of global revenue or 20 million euros, whichever is higher) won’t be applied to you.
If you’re making progress and you have a strategy in place, great. But if not, it’s time to put contingency plans into action. Take these steps, starting today.
1. Map out your course and determine which tasks simply won’t be fulfilled by May. No alert system or reporting structure in place in the event of a hack or data breach? No DPO hiring contract on the horizon? Find out which aspects are under your control and identify those that are simply non-starters.
2. Review the text of the law with a help of a team of GDPR experts. Enlist professional support and go through each line item one at a time. Let go of the items that don’t apply to your enterprise (not every company needs to fulfill hiring requirements, and some elements of the law allow workarounds for certain non-EU data managers). Shift your focus to areas of high exposure.
3. Start right now to establish a culture of compliance. This is something that can be done by any company at any time. Some types of data breach, loss, hacks or exposure may be unavoidable. But many are not, and regardless of specific GDPR compliance issues, there’s never a bad time to start taking data protection seriously.
4. Do what you can with what you have. It’s possible that by May, an appeals process may be in place for those who face specific obstacles or hardships on the path to a new data security infrastructure. But don’t count on this, and instead, try to limit your exposure to fines and penalties using whatever methods are available to you. If and when you’re subject to an audit, be ready to demonstrate your efforts, including your contacts with outside support.