Why should you read any GDPR related material?
Completely ignoring new regulation is natural. After all it is external change, and most people tend to postpone dealing with change or ignoring it altogether - especially if it requires leaving ones comfort zone. The problem is that failing to act on this specific regulation might get your company in deep trouble. Deeper than you might think. It is not a slap on the wrist - but rather a real threatening financial risk exposure.
Just to get a sense how serious the EU can be - see this BBC piece covering Google's June 2017 fine of a whopping $2.7B fine. That is ($2,700,000,000) on the company books! The maximal GDPR fines are 20M EUR, or 4% of the total worldwide annual turnover if bigger so you could consider it an exposure to deal with.
We are lucky we are not a European company
Well, you're asking the wrong question.
The question is not where you company is listed, or where it is operating. The relevant question is: "Does your company collect/transfer/process/analyse/store data that may be related to EU citizens?" If the answer is positive, the GDPR may be enforced on your company. 'May' since there will be a debate on how aware companies are to EU citizen data, but if, for example, your website has any reference to the Euro currency, or any marketing material translated into a EU common language, you might be considered targeting EU citizen.
In affect, by ignoring the company's origin, the GDPR is one of the first regulations that would be applied globally. The EU did provide an FAQ on data that leaves the EU but the exposure can be created without you knowingly acknowledge it.
We're dealing with companies, not directly with people
In chapter 4 of the GDPR two types of stakeholders are identified: controllers and processors. A company can be either of these, or both, and each role has specific requirements.
The controller is the stakeholder that collects the data and thus controls how it can be handled down the line. The processor providing services for the controller such as storage, analytics, processing etc.
It is both important to identify you're company's role in the data flow and how it should act accordingly. It is worth mentioning that the role is true per data-flow and some companies might find themselves in different roles dealing with different data flows.
We're good: data is stored in an inaccessible tape in the mountain
Sounds like the chances of personal data breach are not high, but the GDPR is covering much more. If you read through the GDPR, you'll find some references to data loss. Recital 83, and article 32 are good examples for that. Those items clearly state that when assessing the methods used to store data, state of the art must be considered, and special care should be given to "accidental or unlawful destruction, loss...". This means that the GDPR is covering not only personal data breaches, but also personal data loss and destruction. If data is stored in a single copy, any loss of that data, or even an external audit of the measures taken, might create risks.
Where should we start?
The GDPR requires to appoint a data protection officer- the DPO. While appointing a DPO is not required in all cases, it is a good idea to have someone in the company responsible for the role even unofficially. The DPO is the primary point of contact both on planning towards compliance, monitoring the news from the EU for new changes in regulation and applying new measures internally. The DPO must get the needed support from upper management, since his outreach may cross department boundaries and feels more like the control enforced by the Sarbanes Oxley Act to other compliance requirements which are department specific.
Some useful external references
- The EU Justice department page related to data protection
- The official GDPR page and in some better formats like this and this
- Gartner's May 2017 panic call
- UK's ICO org GDPR preparation checklist
How is NooBaa related to all this?
Whether your company is a controller, a processor or both, NooBaa's solutions can greatly simplify your journey to achieving compliance in a much shorter time and cost effective manner. We'd be happy to help.