Build, implement and manage a GDPR compliance program with TechLiberate
TechLiberate can help with all phases of the General Data Protection Regulation (GDPR) compliance – from building a plan to implementing processes and controls to demonstrating and managing ongoing compliance.
Most importantly, the General Data Protection Regulation (GDPR) compliance deadline was May 25, 2018. Therefore, companies have to comply with a wide range of compliance requirements. Typically, companies need a combination of technology tools and consulting / professional services to build and implement a compliant program. In conclusion, any organization, regardless of location, that collects, processes and stores personal data from an EU resident must meet new standards of transparency, security and accountability.
Certainly, every strong business plan mitigates against fines and losses, but GDPR fines are at a level never seen before in data protection and have the potential to destroy a business. For example, there are infringements that could incur fines of up to €20 million or 4 percent of worldwide annual turnover – whichever is higher.
If you’re not prepared for GDPR, you’re not alone
That is to say, according to the IAPP-EY Annual Privacy Governance Report 2018, only 44% of companies say they are fully compliant
$3M
Average Cost
Firstly, organizations spend an average of $3M getting to GDPR compliance.
56%
Companies
Secondly, only 44% of the companies reported that they are fully GDPR compliant.
72
Hours
Moreover, GDPR requires data controllers to report rapidly—within 72 hours of data breach discovery.
0
Records of personal data
In addition, if an EU resident requests to be forgotten, you must eliminate all individual records that you process or control
TechLiberate manages your privacy compliance
TechLiberate provides a comprehensive solution to simplify privacy management for the GDPR, CCPA and other global regulations
Although it was passed in June 2018, California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. To clarify, CCPA is targeted at companies that collect and/or sell personal information. Moreover, it is designed to give Californians more control over their own data. Absent a comprehensive federal privacy law in the U.S., the CCPA is considered to be one of the most significant legislative privacy developments in the country.
Like the GDPR, the CCPA’s impact is expected to be global, given California’s status as the fifth largest global economy.
In conclusion, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (‘GDPR’) and the California Consumer Privacy Act of 2018 (‘CCPA’) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.
Learn more about our GDPR compliance solutions.
FREQUENTLY ASKED QUESTIONS
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). Moreover, it also addresses the transfer of personal data outside the EU and EEA areas.
That is to say, the GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
In addition, the California Consumer Privacy Act (CCPA) is a bill that enhances privacy rights and consumer protection for residents of California, United States.
What is GDPR and how does if affect you?
The GDPR was approved and adopted by the EU Parliament in April 2016. Further, the regulation took effect after a two-year transition period. In addition, unlike a Directive, it did not require any legislation to be passed by government.
To clarify, the GDPR compliance deadline was on 25th May 2018. Moreover, the GDPR not only applies to organizations located within the EU but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
In short, it applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What is CCPA and how does affect you?
The California Consumer Privacy Act of 2018 is a bill passed by the state of California legislature and signed by its governor on June 28, 2018.
Most importantly, beginning Jan. 1, 2020, the bill, in part, would grant a consumer the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared.
In short, the bill would also require a business to make disclosures about the information and the purposes for which it is used.
What will happen to companies that have missed the deadline?
If the GDPR deadline has been missed, it is imperative the business in question acts urgently to become compliant. Above all, demonstrating strong data rights management is important to both customers and employees.
For example, they should understand why the data is collected and how it is handled on a legal basis. Moreover, current business data processes need to be looked at as an immediate priority so that the company doesn’t risk non-compliance penalties.
Do businesses need to appoint a Data Protection Officer (DPO)?
Above all, Data Protection Officers (DPO) must be appointed in the case of:
(a) public authorities,
(b) organizations that engage in large scale systematic monitoring, or
(c) organizations that engage in large scale processing of sensitive personal data (Art. 37).
Further, if your organization doesn’t fall into one of these categories, then the organization do not need to appoint a DPO. Moreover, if an organization doesn’t have a DPO, TechLiberate has the expertise, and can be hired to act as the Data Protection Officer for your organization.
What are the penalties for GDPR non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. Certainly, this is the maximum fine that can be imposed for the most serious infringements.
Moreover, there is a tiered approach to fines:
– a company can be fined 2% for not having their records in order (article 28),
– not notifying the supervising authority and data subject about a breach or
– not conducting impact assessment.
Above all, it is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.
What are the fines for CCPA non-compliance?
Most importantly, fines under the CCPA will cap at $7,500 per violation. That is to say, even that maximum penalty is reserved for only intentional violations of the CCPA. In other words, violations lacking intent will remain subject to the present $2,500 maximum fine under Section 17206 of the California Business and Professions Code.
Most importantly, of greater financial concern to businesses is that the CCPA expressly paves the way for the right of natural persons to bring lawsuits for the breach of their “non-encrypted or non-redacted personal information”
In conclusion, the CCPA allows individuals to recover between $100 and $750 per such incident—or greater in the showing of actual damages exceeding $750.
How does GDPR affect marketing strategies?
Data plays a critical part in both digital and direct marketing strategies. Therefore, marketers must ensure they have demonstrated clear compliance and consent. Moreover, CMOs and marketers must demonstrate how the data subject has consented to the processing of their personal data. In addition, marketing databases have to be cleansed and reviewed to ensure that the organization can identify consent which has been granted lawfully and fairly. Although GDPR only affects citizens living in the European Union, it is recommended that companies that operate internationally ensure all of their global audience is GDPR compliant to meet stringent data regulations in the future.
How does GDPR affect policy surrounding data breaches?
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Above all, data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours. Lastly, CIOs must have strategies in place to issue breach notifications to regulators within 72 hours.
