The GDPR is the world's widest reaching data privacy regulation for organizations in a crack-down to protect individual's private data (learn more about the GDPR
here). The implications of the GDPR are far reaching – within two hours of the GDPR being implemented almost $10 billion dollars in fines were lodged against companies such as Facebook and Google. Of course, the outcome still remains to be seen, but the GDPR's implementation had clearly been stamped. Here are some excerpts of the panel discussion:
Were organizations ready for the GDPR implementation date, do they believe there will be a grace period before fines are implemented?
Simon - "Speaking to customers, my general feel is that only a low number are ready for the GDPR, many are taking risks and waiting to see who will get fined first."
Adam – "Customers feel they will have a grace period. Most customers are doing something, but are not fully compliant, which is a big concern. Some are, but the majority aren't, and are waiting to see what will happen. The GDPR was announced two years ago, but the Privacy Commission is understaffed, so there will be time before penalties are handed out - this doesn't mean it won't happen, the fines are ready to be handed out. Also, companies in the EU are taking it more seriously. Outside of the EU, it depends on their size and the extent to which they do business in the EU, and those not yet prepared are quite nervous. My phone is ringing off the hook from this type of customer – they are no less interested."
What are the key tools that organizations need in order to comply with the GDPR?
Avital – "A key tool would be discovery, customers need to be able to find their data subjects' data accurately and in a timely manner – across all channels. Customers need to be able to perform deletion on demand for requirements such as the Right to be forgotten. Extraction is also important for requirements such as data portability – organizations need to retrieve data accurately on demand, using a flexible system."
Simon – "Yes, customers need to be able to delete calls. They think this is a superficial process, but they don't yet understand the challenges, and complexities of the regulation and what this involves. Data portability, for example, needs to be given in a universal format and not in the format they use; this is more intense then customers anticipated."
What type of organization do you think will be the first to be fined?
Simon - "Large to medium, as was reflected in the news. To make an example quickly and hit hard, though the GDPR hits everyone."
Adam – " I think certain industries are more sensitive, depending on the different kinds of data they process. Healthcare and financial services with special categories of personal data are particularly vulnerable to fines if they haven't complied with the GDPR."
Do you think "I didn't know about the GDPR" is a reasonable defense for the auditor?
Adam – "Definitely not. The auditor was very specific, none of those answers will carry water. However, GDPR preparedness doesn't need to be perfect - we don't yet know the legislative, showing good faith efforts are more important. Showing that policies, protocols and systems are in place as well as an earnest attempt to comply will be a big mitigator of liability. Doing a lot of work to ramp up for the GDPR is critical, as is staying abreast of GDPR compliance, ear to the ground as to how it is being implemented and interpreted and why fines are being given out."
Watch the full panel interview
here for more about the need to appoint a DPO, tips on what organizations should focus on as a first stage, juggling the GDPR with other regulations, and much more.