GDPR Is Here—Are You Compliant?

By Jeff Gerkin, Executive VP, Sales

Significant fines, corrective measures, and reputational damage—these are all real consequences that your company could face if it is not compliant with the European Union’s General Data Protection Regulation (GDPR). Although in effect since 2016, the post-adoption grace period officially ended on May 25, 2018. Despite the hefty penalties, Gartner predicts that by the end of 2018, more than 50 percent of companies affected by GDPR will still not be in full compliance with its requirements.1 If your company is not yet compliant, you may see GDPR as a burden. However, investing in GDPR compliance does not have to be just about avoiding penalties—it also provides real opportunities for your company to gain a competitive edge by creating a solid foundation for data management.

GDPR is a legal framework that governs the collection and processing of personal information of individuals within the European Union (EU). Its aim is to protect the personal data of EU citizens and provide them with the necessary rights to manage their personal data. While GDPR protects the rights of EU citizens, compliance is not limited to organizations within its borders. Regardless of location, U.S. companies must comply with GDPR if they process personal data of EU citizens and visitors in any capacity.

Not only do U.S. companies need to navigate GDPR, but they also need to prepare for forthcoming U.S. data privacy laws. Following the GDPR trend, California passed a significant data privacy law in late June that gives consumers unprecedented control over their personal data.2 Under this new law, consumers have the right to know what information is being collected about them, why it is being collected, and with whom it is being shared. Businesses must also delete personal information and agree not to sell or share data upon the request of a consumer, while providing them with the same level of service. The state’s Attorney General will have more authority to fine businesses that are not compliant with these new regulations. The law, which goes into effect in January 2020, is arguably the most comprehensive data privacy law in U.S. history, and it will most likely not be the last. It is only a matter of time before more states introduce data privacy laws—businesses that start the GDPR compliance process now will be ahead of the data privacy game.

To get ahead of the curve, it is critical to know how GDPR requirements impact your business operations. The European Commission identified these five key changes under GDPR3.

  1. Companies must communicate their privacy policies in a clear, simple terms.
  2. Individuals must give explicit consent for a business to use their personal data; silence does not indicate this consent.
  3. Citizens have stronger rights regarding their personal data. They can move their data from one business to another, access a copy of their data that has been collected by a business, and have a “right to be forgotten,” meaning companies must delete a citizen’s personal data if requested. Companies also now have a responsibility to inform citizens immediately in the event of a harmful data breach.
  4. Organizations must be more transparent regarding the purpose and use of collected data. Businesses are obligated to notify citizens if their data is transferred outside of the EU, clearly inform them of the purpose(s) for collecting and processing data, and disclose if any algorithms are used to make an automated decision based on user data (e.g., a loan application), and also provide them an opportunity to contest the decision.
  5. Organizations face stronger penalties and fines for non-compliance. Each of the 28 EU member countries has a data protection authority (DPA) that provides guidance on and interpretation of GDPR regulations. Together, these authorities comprise the European Data Protection Board, which can make binding decisions in the event that several EU countries are involved in a compliance issue, ensuring that GDPR is enforced uniformly across the EU. If a business violates GDPR, DPAs can impose fines up to 20 million Euro or four percent of a company’s revenue, as well as corrective measures, such as ordering a business to stop processing personal data. Less measurable, but no less important, is the damage to a company’s reputation after breaching GDPR.
     

Reading these requirements and penalties can be overwhelming, however, there are steps that all IT leaders involved in security, risk, and privacy management can take to ease their path to compliance: GDPR requirements

  • Appoint a data protection officer (DPO)
  • Create a task force to address the challenges the organization faces under GDPR
  • Review personal data processing operations for subject rights enforcement and cross-border data flow compliance, including adequate data processor selection
  • Establish and maintain an internal framework for accountability, including mitigation of risk resulting from the data processing activity
  • Strengthen transparency by instituting comprehensive central business registration and documentation of data processing activities
  • Seek legal advice, where necessary, in the pursuit of risk-based timely compliance decisions

By engaging a trusted partner with demonstrated experience in regulatory compliance, your company will benefit from experienced professionals who can guide you through these steps, ensuring you are not at risk of penalties while also creating a solid foundation for data management.

For more than 15 years, CTG has been a market leader in IT-related validation services, and our suite of GDPR Compliance Services are designed to address both short and long-term client needs. From a compliance assessment resulting in a remediation roadmap, to a customized implementation solution, our highly configurable approach meets you where you are in the compliance process and leverages the 13-step approach defined and promoted by the Belgian Supervisory Authority.

CTG also offers Data Protection Officers (DPO) to get your compliance on track and assume DPO responsibilities based on your unique needs. In addition, we provide state-of-the-art data security technology, such as encryption and privacy office automation, to optimize your organization's privacy processes.

Data privacy is a growing global trend, evidenced by GDPR as well as California’s privacy legislation. Those companies on the forefront of addressing data compliance will have a leg up on the rest of the market as these new laws evolve and multiply, while those with a “wait and see” approach will likely be playing a costly game of catch-up to avoid significant penalties. 

To learn more about how CTG can help your organization meet its GDPR compliance needs and gain competitive advantage, send me an email at jeff.gerkin@ctg.com or visit www.ctg.com. Join my CTG colleagues and me as we guide you through the essentials of GDPR compliance and provide an understanding of the most critical requirements and challenges during our September webinar, “The Gist of GDPR,” on September 25. Register here.

Featured

Opportunity is calling - are you ready? We're excited to highlight these new hand-picked health IT positions. Check out the list and apply: Patient Access Business Analyst - Epic Grand Central CTG...
Opportunity is calling - are you ready? Check out these hot new opportunities from our Health Solutions team.  CERNER REVENUE CYCLE PROJECT MANAGER CTG Health Solutions is in need of an Cerner...
This week, we had a team meeting and Jochen, our Unit Manager, had a great idea, “Why not tell the public how much you like your company?” This is indeed something we should do more often. He put...
BUFFALO, N.Y., October 30, 2018—CTG, a leading provider of information technology (IT) solutions and services in North America and Western Europe, announced recently that Cynthia Sims has been named...
Opportunity is calling - are you ready? Check out these new hand-picked positions from our Health Solutions team.  HEALTHSTREAM – MORRISEY MSOW SUPPORT ANALYST Seeking a Healthstream Morrisey Web...