The EU's General Data Protective Regulation
("GDPR") goes into effect on May 25, 2018. It is a
mammoth regulation and perhaps the most significant European data
protection legislation in more than 20 years. In fact, the European
Commission just released a
new website to help stakeholders, including businesses, with
implementation. With its global reach, applying to any organization
that processes the personal data of individuals within the EU
regardless of where the data lands, GDPR compliance is top-of-mind
for executives of multinationals. Despite U.S.-based multinationals
spending millions of dollars and thousands of hours preparing for
GDPR since it was announced two years ago, a recent
survey by MediaPro reveals that more than half of U.S.
employees have never heard of the regulation.
GDPR compliance does not rest just with IT - it is everyone's
responsibility. Organizations can help their employees comply with
the new regulation and protect against breaches by developing a
comprehensive communication and training strategy. In fact, the
GDPR requires that companies train their workforces on how to
handle personal data under the new law. For training to be
effective, it should not be limited to an annual off-the-shelf
online course. Instead, training should begin at the top of each
organization with a demonstrated commitment to creating awareness
and a compliant culture, whether through townhalls or other
company-wide communications. Supplement online training with
in-person role-based training tailored to meet each functional
area's unique requirements.
Training, however, is not enough. With Privacy by Design now mandated by the GDPR, messages about information protection must be integrated throughout the business. This begins with emphasizing the value of information protection in the Code of Conduct and Ethics. Put this language into practice by embedding privacy and security in operational procedures, aligning it to business goals, and measuring it regularly. Encourage employees to champion information protection by inviting them to the conversation.
With May 25th just around the corner and 59% of U.S. employees reporting they know little to nothing about GDPR, there is still much more work to be done in creating employee awareness. And with fines of up to 4% of annual global revenues or €20 Million (whichever is greater) for non-compliance, lack of awareness could prove to be costly.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.