Beancounters at Gartner have added up some numbers and divided by their collective shoe size and worked out that when the GDPR goes live on 25 May 2018 more than half will eligible for fines of up to €20m – or four percent of turnover – for non-compliance.
Gartner research director Bart Willemsen said that the GDPR will affect not only EU-based organisations, but many data controllers and processors outside the EU too.
“Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.”
All this opens the way for the channel to step in and provide customers with the advice they so desperately need.
They need someone to tell them their role under the GDPR. Outfits need to appoint a representative to act as a contact point for the data protection authority (DPA) and data subjects.
Most will have to hire a data protection officer (DPO). This is especially important when the organisation is a public body, is processing operations needing regular and systematic monitoring, or has large-scale processing activities.
Gartner said that too few organisations have found every single process where personal data is involved. Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity as this will help to keep compliance in future personal data processing activities.
Organisations must prove an accountable ground posture and transparency in all decisions regarding personal data processing activities. Outside parties must also follow relevant requirements that can affect supply, change management and procurement processes. It is important to note that accountability under the GDPR needs proper data subject consent acquisition and registration. Prechecked boxes and implied consent will be in the past. A clear and express action is needed that will require organisations to implement streamlined techniques to obtain and document consent and consent withdrawal.