If your organisation is based in the Gulf, you might wonder why people are telling you to comply with the EU General Data Protection Regulation (GDPR). Why should an EU law apply to you?
Unfortunately, it’s not that simple. The GDPR – the new law designed to strengthen the rights and freedoms of EU residents regarding their personal data – applies to any organisation in the world that handles such data. Organisations across the globe will be affected, and if you’re one of them, you need to pay attention. Here are four reasons why:
1. The GDPR takes effect soon
The Regulation takes effect on 25 May 2018, leaving organisations little time to prepare. There are many requirements that need to be met, so the sooner organisations become aware of the ins and outs of the GDPR, the more time they give themselves to be compliant by the deadline.
2. It will help you prevent data breaches
By better protecting data subjects’ information, organisations are also mitigating the risk of data breaches.
A breached organisation typically experiences long-term financial effects. It will have to respond to and investigate the incident, improve its security measures to stop further breaches and probably also pay a regulatory fine. There is also the potential of a lingering drop in its share prices.
Under the GDPR, organisations that collect personal data have a direct legal obligation to protect personal data. They are required to adopt a privacy by design approach, which means that the security of a product or service must be considered at the very start of any project.
The GDPR also attempts to mitigate the damage of data breaches by reducing the amount of personal information organisations can collect and how long they can keep it for.
3. You’ll improve your reputation
Data breaches and cyber attacks are making headlines more often these days, and they’re usually accompanied by a string of embarrassing stories of the organisation’s security failures – from an employee falling for a phishing scam to a company leaving data online without any password protection.
By complying with the GDPR, organisations are much less likely to experience these kinds of embarrassing incidents, and they’ll gain a reputation for being secure.
4. You could face strong disciplinary action if you don’t comply
Supervisory authorities have the power to fine non-compliant organisations up to €20 million (about 87 million SAR) or 4% of their annual global turnover – whichever is greater. Fines of this size will be rare, and reserved for only the most flagrant offences or failure to heed repeated warnings.
This doesn’t mean organisations don’t need to worry about disciplinary action. Smaller – but still sizeable – fines will be handed out as appropriate to the offence, and supervisory authorities can take other enforcement action, such as mandatory staff training or requiring the organisation to complete a GDPR gap analysis.
How you can become compliant
The GDPR is a complex regulation, so it will take a lot of time and effort to meet its requirements. However, you can make that process easier with our EU GDPR Documentation Toolkit.
This toolkit has been used by hundreds of organisations worldwide, and includes easy-to-use templates, customisable worksheets, policies and expert guidance. It will help you:
- Identify risks to personal data and put in place the necessary controls to resolve those issues;
- Embed the documentation into your organisation quickly and easily; and
- Integrate GDPR documentation alongside your ISO 27001