Lessons learned:
· 1. It’s not just about posting a privacy notice on your website. The GDPR is about
transparency, notice, and giving your customers power over their personal data. This means that there must be real changes in
corporate procedure, how companies secure information against breaches, and
what happens after a breach.
· 2. Privacy compliance should not be an after-thought. Companies need to address
privacy issues at the development stage to avoid penalties because it is only a
matter of time before a breach occurs. It
is much more costly to audit and revamp corporate structure later.
· 3. Data mapping and training are great for maintaining compliance. Knowing where the data
flows, when consent needs to be obtained, and what processing is happening, will
help you comply with privacy. You also
need to make sure your employees know how to properly handle personal
data. This will become even more
important as the industry begins to explore other services like data trusts.
· 4. The cost of non-compliance is more than just fines. A fine under the GDPR may be
up to €20,000,000 or 4% of global annual revenue from the previous financial
year, whichever is higher. This year in
March, the Polish data protection authority fined a small company €220,000 for
failing to inform consumers of processing activities. The data protection authority also ordered
the company to notify data subjects even though the cost would be approximately
€6,978,000 to send notices by post.
· 5. The GDPR is only the beginning. The GDPR is the start of a new wave of comprehensive,
global privacy law updates. In North
America, major events include: the California Consumer Privacy Act coming into
effect January 1, 2020; efforts towards a Canadian Digital Charter; and,
continued calls and consideration for a US federal privacy law.
Comments
Post a Comment