André Bywater recently met in London with Adam Turteltaub, Vice President of Strategic Initiatives & International Programs of the Society of Corporate Compliance and Ethics & Health Care Compliance Association (SCCE). They discussed GDPR post implementation date.
May 25, 2018 was the deadline for companies to comply with the new European General Data Protection Regulation (GDPR), and for many organizations, it was a very long slog just getting there.
André warns however that it’s best not to think of that date as an endpoint. Instead, it’s a starting line for a new era in data protection.
Many complaints have already been brought before data protection regulators, and they have led to subsequent investigations based on allegations of violations. One organization has already been told to stop processing data.
So, the consequences for violations are real and, notably, they extend beyond the EU.
Even companies that have done an excellent job preparing for GDPR need to remain vigilant, particularly for data breaches. Hacking is a problem and a headline grabber, but there is a significant day-to-day challenge with human error: lost laptops, mobile phones stolen etc. Under GDPR, organizations have to report these incidents promptly to the regulator and may have to tell the individuals involved.
This need to report quickly makes it essential for compliance teams to have a plan in place for responding, even before the breach occurs.
Another issue to prepare for: individuals have the right to ask what information the organization has collected on them. That can be a time-consuming process that includes paper records. Once again, it’s important to have plans in place before the request comes in.
In summary, GDPR poses significant on-going challenges and will be a part of compliance efforts for a long time to come.
Listen in to the podcast here to learn more about what you should be thinking about and doing.
Cordery’s Data Breach Academy can be an effective way of helping manage a data protection breach. There are details here: http://www.corderycompliance.com/cordery-data-breach-academy-2-2/.
To find out more about the work we do in connection with data breaches and our four point plan, visit our website here: http://www.corderycompliance.com/dealing-with-a-breach/.
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
- For more on Navigator please see here: http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|