Data Privacy challenges for organisations are wide ranging. They include reviewing company policies and procedures, website compliance, security measures (e.g. CCTV), internal company employer/employee privacy data issues including employee contracts and the employee handbook, review of third party contracts and service agreements and marketing activities including CRM/CCRM and CDP databases.
The consequences of failing to comply are significant: the GDPR allows for the regulator to impose administrative fines of up to €20 million or 4% of total worldwide annual turnover whichever is the greater. The Irish Data Protection Act 2018 also makes provision for administrative fines of up to €1 million to be imposed on public bodies or public authorities and the Act further establishes a number of criminal offences punishable by way of a fine of up to €250,000 and/or 5 years’ imprisonment on conviction or indictment. However, these fines may even be considered to be small compared to the cost of reputational damage and the cost to business.
Benefits of Compliance and Managing your Data
Data compliance is a benefit not a burden to your organisation. The commercial benefits of data privacy compliance and having quality data for an organisation cannot be underestimated. An organisation should actively manage its data. This is particularly relevant for SMEs, start-ups and other organisations that have limited resources (human and financial). Benefits include an organisation being more efficient, secure and competitive. This is reflected with an enhancement in an organisation’s cyber security, improvement in data management, increased marketing return on investment (more efficient and leaner customer database) as well as boosting customer loyalty and trust.
The financial cost to an organisation of non-quality data is significant – studies have shown this can range from 15 to 20% of turnover – costs arise for example from re-working/correcting data, cross-checking and validating data, not knowing where data is and the cost of storing data physically in paper format.
Your data should be a valuable asset to your organisation and should be properly managed.
Here are some examples of other areas organisations need to consider to comply with the GDPR:
Any personal data a company holds be it information on their employees past or present or those who applied for a position within the company but did not get the job (old CVs for example) or personal data on suppliers or contractors or other service providers is caught by the GDPR. Access to this personal data within a company should only be granted to those persons where it is deemed necessary for the functioning of their job.
All websites on their front page should have a privacy statement explaining how and why they collect personal data gained from users of their website and what they do with that data.
If your company is thinking of putting in CCTV cameras to protect your premises it will be necessary to comply with the requirements of the GDPR. In particular it is most likely your company will need to carry out a data privacy impact assessment before deciding whether it is necessary to install the system.
If your company uses the services of a cloud provider (third party) for the off-site storage of personal data you will need to review your service contract with this provider to ensure that they are GDPR compliant. If they are not in compliance you are not in compliance either and consequently may be liable as regards any breach of the GDPR.
If you are a US citizen while in Europe and use a service (even if that service has no base in Europe) that processes personal data at that time the GDPR will apply to that service provider and you as a user of that service will have the benefit of all the privacy protections provided by the GDPR.