There are now less than 12 months until GDPR D-Day. The 25th May 2018 will usher in new robust structures for any businesses who process personally identifiable information about anybody who is an EU citizen.
The fines for a GDPR breach of 20 million euro or 4% of global annual turnover have been widely documented. This has been further strengthened with recent analysis from global management consultancy Oliver Wyman that found FTSE 100 companies could face fines of up to £5 billion a year if they don’t comply with the new regulation.
GDPR goes beyond the realms of merely ticking the boxes and hoping for the best. It is imperative that every business gets this right, and the key to this is accountability.
The need for accountability in data privacy can be traced back to 1980 in the privacy guidelines then issued by the Economic Cooperation and Development (OECD) that described accountability as “showing how responsibility is exercised and making it verifiable.” This definition also lends itself to how GDPR will be in practice. GDPR seeks to strengthen the responsibility of data controllers and data processors in relation to the processing of personal data.
The measures organisations must put in place include documented processes, data protection impact assessments and a data security methodology. They must also appoint a mandatory data protection officer for any large-scale processing of personal data, and to ensure the keeping of up to date records regarding processing activities.
Accountability Underpins GDPR Rollout
The European Data Protection Supervisor (EDPS), in their Accountability Fact Sheet, state that accountability in personal data processing requires:
Although the word accountability appears seldomly in the GDPR, the core concept of accountability underpins the entirety of GDPR.
Businesses need to demonstrate that they are properly compliant, which includes practicing and enforcing the policies and procedures outlined by GDPR. It is up to businesses to build a framework upon which a culture of privacy can be established.
This means real change to the culture of an organisation. Accountability isn’t something that can be an afterthought of your GDPR preparation, rather it needs to be at the core of your GDPR plan now, in May 2018 and forever more.
GDPR fines won’t just happen when a huge cyber-attack or event happens, they will hit hard whenever there is found to be no data protection impact assessment, a lack of data protection officers in an organisation and an inability to put in place an end to end GDPR lifecycle. Even one piece of the puzzle missing could cost companies huge amounts of money.
GDPR requires organisations to be compliant with the new regulation, but it also offers the opportunity to enhance your business by committing to the ethical use of personal data. You can use this onus on accountability to present your organisation as a bastion of individual privacy rights which can play an integral part in whether someone chooses your company over a competitor.
The time to act on GDPR is now, but it’s important to remember that any plan you put in place must have accountability as a core component to enable you to be compliant on May 2018 and future proof your organisation for years to come.