If the recent flurry of emails from organisations sending privacy policy updates didn’t tip you off, the new EU General Data Protection Regulation (GDPR) commences today.
Reading every one of those emails (something even those of us in the privacy world struggle with), might give you the impression that there’s a standard approach to GDPR compliance. But the truth is that how your organisation has (hopefully) prepared for GDPR, and how it will continue to improve its privacy practices, is highly variable.
We’ve covered the GDPR at length on this blog, and a collection of links to our various articles is at the bottom of this post– but first, we’d like to set out a few thoughts on what the GDPR’s commencement means in practice.
Remember the principles
If the GDPR applies to your organisation, you’ve presumably taken steps to prepare for the requirements that apply under the new privacy regime. Among these are new requirements relating to data breach notification, as well as new rights and freedoms for individuals whose personal data you may be processing.
One aspect of GDPR that has received plenty of attention is the new penalties, which can be up to 4% of an organisation’s annual turnover, or 20 million Euros (whichever is greater). Certainly, those numbers have been very effective in scaring plenty of people, and they may cause you to check once again whether your organisation fully meets the new requirements under the GDPR.
However, the reality isn’t quite so straightforward (or scary). Much of the GDPR is principles-based, meaning that there isn’t always a single way to comply with the law – you need to take account of your organisation’s circumstances and the types of personal data it processes to understand where you stand in relation to GDPR’s requirements.
Although we don’t expect EU supervisory authorities to provide an enforcement ‘grace period’, we’re also of the view that enforcement activities will ramp up gradually. The authorities understand that, for many organisations, GDPR compliance is a journey. Those organisations that can demonstrate they’ve taken every reasonable step to prepare for GDPR, and which have a plan for continuing to improve their privacy compliance and risk programs, will be far better placed than those that have done little or nothing to get ready for the new law.
If your organisation still has work to do to comply with the GDPR, or you want to continue improving your organisation’s compliance and risk program (and there is always more to do!), there is plenty of help available to help you navigate GDPR and understand how it applies to your organisation.
Our previous coverage of the GDPR
Tim compares Australia’s Privacy Act with the GDPR
Melanie spoke to Bloomberg about driving competitive advantage from GDPR compliance
Head to Head: the GDPR and the Australian Privacy Principles (Part 1 and Part 2)
A Lesson in Data Privacy: You Can’t Cram for GDPR
Facebook and Cambridge Analytica: Would the GDPR have helped?
5 things you need to know about GDPR’s Data Protection Officer requirement
If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.