Happy Birthday GDPR

Lessons learned:

·       1. It’s not just about posting a privacy notice on your website.  The GDPR is about transparency, notice, and giving your customers power over their personal data.  This means that there must be real changes in corporate procedure, how companies secure information against breaches, and what happens after a breach.

·       2. Privacy compliance should not be an after-thought.  Companies need to address privacy issues at the development stage to avoid penalties because it is only a matter of time before a breach occurs.  It is much more costly to audit and revamp corporate structure later.

·       3. Data mapping and training are great for maintaining compliance.  Knowing where the data flows, when consent needs to be obtained, and what processing is happening, will help you comply with privacy.  You also need to make sure your employees know how to properly handle personal data.  This will become even more important as the industry begins to explore other services like data trusts.

·       4. The cost of non-compliance is more than just fines.  A fine under the GDPR may be up to €20,000,000 or 4% of global annual revenue from the previous financial year, whichever is higher.  This year in March, the Polish data protection authority fined a small company €220,000 for failing to inform consumers of processing activities.  The data protection authority also ordered the company to notify data subjects even though the cost would be approximately €6,978,000 to send notices by post.  

·       5. The GDPR is only the beginning.  The GDPR is the start of a new wave of comprehensive, global privacy law updates.  In North America, major events include: the California Consumer Privacy Act coming into effect January 1, 2020; efforts towards a Canadian Digital Charter; and, continued calls and consideration for a US federal privacy law.

For more information and if you have any questions contact MDK's Kimberley Chew Leung at kimberley@businesslawadvice.com