The EU General Data Protection Regulation (GDPR) is about 2 years old, and we’re beginning to understand how it works. So far, it’s a cautionary tale for every business with an E.U. presence – and, as other countries adopt the GDPR model, for any organization anywhere. If you’re not doing anything to become GDPR compliant, don’t be surprised if they turn a spotlight on you. Let’s take a look at what GDPR enforcement means.
Who Are They Going After?
Pretty much everybody. If you do business in the E.U., it could be you. Enforcement targets have included British Airways, hospitals, retailers; even public schools and mom-and-pop internet cafes. So no matter your size or international presence, don’t imagine for a moment that you’re exempt from compliance or enforcement. Yes, they do go after the big, obvious actors – we’ve heard about Google and Facebook – but their strategy is to target a broad sample just to keep you on their toes. You could be next, regardless of who you are, what you do and how big or small your organization.
When Can They Go After You?
Citizen complaints are part and parcel of the GDPR, but no complaint is necessary to trigger an investigation. National Data Privacy Authorities (DPAs) are actively targeting a sampling of businesses by 1) checking to see if a retention schedule is in place, and 2) auditing electronic systems to make sure the schedule is implemented. DPAs have the right to do that – in fact, they have the right to do pretty much anything they want. So, if they shine the spotlight on you, anything’s fair game.
What Constitutes a Violation?
It’s up to them. A DPA isn’t bound by any external rules or guidelines and has plenary enforcement authority within its area of operation. Current enforcement actions have resulted in everything from approval of a practice to fines that are quite substantial relative to the size and value of the business. It’s worth noting, though, that the amount of the penalty is proportional – significant enough to hurt, but greater or lesser depending on whether the DPA thinks you’re trying to comply. If the DPA likes what you’re doing, it can respond pretty much as it sees fit.
So the effort you put into GDPR compliance, even if the results aren’t perfect, is certainly worth it to reduce the sting of any penalties you might be assessed. And if you’re not doing anything to get GDPR compliant, you’ll definitely feel that sting! Remember: what they’re auditing you against is often your own policies and retention schedule. You have some control over your destiny here.
What Can You Do?
Avoid the spotlight. GDPR compliance comes down to some very basic records management:
- Limit data collection to what you really need in the first place. If you collect personally identifiable information you don’t need, you’re only creating unnecessary risk. An information governance advisor can help you identify what is necessary to collect and when.
- Know where data is and where it goes. If you don’t know where information is stored, you won’t be able to manage it effectively. Your information management policy should make it easy for end users to store information correctly. That means implementing a document management solution that allows for automatic metadata capture and classification.
- Promptly destroy data once you’re done with it. No information management framework is complete without a clear, defensible disposition process. Ensure that your retention schedules are complete and correctly followed – they will provide a full audit trail for defensibility in case the regulators turn the spotlight on you. The longer you retain a piece of unnecessary information, the more risk you invite.
It’s all about good data management and a rigorously enforced retention schedule. This is something you should have been doing all along, and now you have one more compelling reason to do so.
For more actionable insights into how your organization can ensure and prove GDPR compliance, check out our recorded webcast: GDPR and its Impact on Info Management & Governance