So, what is GDPR and what does it have to do with me and my association?
Perhaps you’ve heard of the Google and Facebook data breaches, which may have you questioning your (and your members’) data privacy. “Data protection” is a huge buzzword these days, and the European Union (EU) has pioneered a way to protect data: enter GDPR, or General Data Protection Regulation, which replaces the Data Protection Directive 95/46/EC. GDPR standardizes data protection law and imposes strict rules on controlling and processing personal information, not just for countries in the EU, but also for anyone who offers goods and services to or monitors the behavior of data subjects in the EU.
At AMC, CIO Vish Kalambur and the IT team have been working to ensure our clients partners are in compliance. If your organization meets the requirements to comply with GDPR and decides to ignore the rules, your organization can be fined up to 4% of the annual global turnover, or almost $23 million. Additionally, compliance applies to controllers and processors, so clouds are not exempt from the rules.
How do you make sure you are complying? While remaining GDPR compliant (and avoiding that hefty fine) is a complex job, you can break it down into 12 general steps:
- Individuals must give consent for processing personal data.
- You will need to appoint a Data Protection Officer (DPO) if you process high volumes of personal data.
- Comply with Data subject access requests (DSAR) within 1 month.
- During development, products, systems, and processes must consider privacy-by-design concepts.
- Carry out Privacy Impact Assessments (PIA) in certain situations where data processing bears a high risk to the rights and freedoms of a natural person (see GDPR Article 29 and Article 35(3) for more specifications).
- Any privacy notices must be easily accessible, transparent, and have clear and plain vernacular.
- You must obtain explicit consent for profiling for marketing, and individuals have a right to not be subject to it.
- Data Controllers must keep a record of processing activities.
- Users may request portable personal data.
- Data subjects have the right for their data to be deleted.
- Individuals have the right to know that they have the right to opt out of direct marketing.
- Data controllers must report personal data breaches within 72 hours of discovering the breach.
While this appears to be a simple checklist, it is a very involved checklist that requires the collaboration of all teams in your organization. Such teams and persons include:
The Data controller, who defines how the data is processed and what it’s used for. Then data moves on to the…
Data processors: the internal groups that maintain and process these records, OR an outsourcing firm that performs all or part of these activities. All of this is overseen by the…
Data protection officer, who oversees GDPR compliance and the data security strategy, all for the best interests of the…
Data subject, who has the right to privacy AND transparency.
Your current data privacy system might have some gaps of which you are unaware, which is why it is very important that your teams pay very close attention to the compliance process. Gaps can fall under many areas, including legal basis to process data, data usage guidelines, data transfer agreement, data subject rights & fulfillment, data breach reporting, vendor contract reviews, and the following policies: privacy, social media, data portability, and right to forget. Make sure you look for fixing these gaps to start your compliance efforts with GDPR.
Remember, compliance is forever, so not only is it important to start the process but to ensure that there are solid data management practices in your organization that could act as guard rails as your organization introduces new programs and services collecting more data from your customers. While adhering to the GDPR policies is a huge effort, look at it from the perspective of RISK, and remember Benjamin Franklin’s adage, “An ounce of prevention is worth a pound of cure!”
Keep your eyes open for an upcoming blog about what AMC is doing to help our clients comply with GDPR—coming soon!
Vish Kalambur is AMC’s Chief Information Officer and Megan Toal is a content marketing associate on the Creative Media Services team.
Be the first to know about the latest articles, news, and events from AMC. Sign up for our emails!