Companies that offer goods and services to EU citizens will have to intensify their focus on privacy issues when the European Union’s General Data Protection Regulation (GDPR) takes effect in April 2018, according to a report by consultancy firm PwC.
Companies that don’t comply with the GDPR requirements face fines of as high as 4% of their annual revenue, authors of the report note, citing EU’s General Data Protection Regulation. Court precedents in Europe are also introducing a new risk for companies there: privacy class actions.
“A half-billion EU citizens will be poised to hold multinationals accountable to this higher bar through new rights they will begin exercising one spring morning a year and a half from now,” said Jay Cline, Principal, Cybersecurity and Privacy at PwC, as cited in the report.
These requirements will impact organizations that do business in Europe:
Mandatory data inventorying and record keeping of all processing of European personal data.
Mandatory data-breach notification to regulators and individuals whose information is compromised.
The right to be forgotten, which allows individuals to request that their personal data be erased.
Routine privacy impact assessments.
Mandatory data protection officers (DPOs).
“Businesses may be required to conduct comprehensive risk assessments and implement new end-to-end security enhancements,” authors of the study say. “Many will need to rethink data-governance strategies, and implement processes and technologies for maintaining comprehensive data inventories. (…) Organizations can help get ahead of the regulation by conducting a GDPR readiness assessment, remediating GDPR gaps to a level of operational adequacy and instituting an ongoing compliance-monitoring process.”
Many US businesses also will need to address Privacy Shield, the successor to the Safe Harbor framework that governs trans-Atlantic transfer of personal data of EU citizens.
“Privacy Shield membership will undoubtedly increase scrutiny of the storage and transfer of any kind of data, from social media posts to payroll processing,” they add. “Compliance is likely to be potentially onerous. US businesses, for instance, will be required to identify third parties with which they share personal data of EU citizens. They also must conduct privacy due diligence of third parties that process EU personal data and produce evidence of compliance on demand—signed by an officer of the company.”
Many businesses will also need to update data inventories and dataflow maps to verify how they handle EU personal data. They also should conduct a cost-benefit analysis of Privacy Shield compliance and complete operational adequacy controls that test model contract commitments.
In PwC’s annual survey, the most-cited privacy priority over the next 12 months is privacy training and awareness, with updating of privacy policies and procedures a close second.