The EU General Data Protection Regulation (GDPR) is about 2 years old, and we’re beginning to understand how it works. So far, it’s a cautionary tale for every business with an E.U. presence – and, as other countries adopt the GDPR model, for any organization anywhere. If you’re not doing anything to become GDPR compliant, don’t be surprised if they turn a spotlight on you. Let’s take a look at what GDPR enforcement means.
Pretty much everybody. If you do business in the E.U., it could be you. Enforcement targets have included British Airways, hospitals, retailers; even public schools and mom-and-pop internet cafes. So no matter your size or international presence, don’t imagine for a moment that you’re exempt from compliance or enforcement. Yes, they do go after the big, obvious actors – we’ve heard about Google and Facebook – but their strategy is to target a broad sample just to keep you on their toes. You could be next, regardless of who you are, what you do and how big or small your organization.
Citizen complaints are part and parcel of the GDPR, but no complaint is necessary to trigger an investigation. National Data Privacy Authorities (DPAs) are actively targeting a sampling of businesses by 1) checking to see if a retention schedule is in place, and 2) auditing electronic systems to make sure the schedule is implemented. DPAs have the right to do that – in fact, they have the right to do pretty much anything they want. So, if they shine the spotlight on you, anything’s fair game.
It’s up to them. A DPA isn’t bound by any external rules or guidelines and has plenary enforcement authority within its area of operation. Current enforcement actions have resulted in everything from approval of a practice to fines that are quite substantial relative to the size and value of the business. It’s worth noting, though, that the amount of the penalty is proportional – significant enough to hurt, but greater or lesser depending on whether the DPA thinks you’re trying to comply. If the DPA likes what you’re doing, it can respond pretty much as it sees fit.
So the effort you put into GDPR compliance, even if the results aren’t perfect, is certainly worth it to reduce the sting of any penalties you might be assessed. And if you’re not doing anything to get GDPR compliant, you’ll definitely feel that sting! Remember: what they’re auditing you against is often your own policies and retention schedule. You have some control over your destiny here.
Avoid the spotlight. GDPR compliance comes down to some very basic records management:
It’s all about good data management and a rigorously enforced retention schedule. This is something you should have been doing all along, and now you have one more compelling reason to do so.
For more actionable insights into how your organization can ensure and prove GDPR compliance, check out our recorded webcast: GDPR and its Impact on Info Management & Governance