EU-Wide GDPR — The Countdown Has Started
Enterprises must comply with the requirements of GDPR by May 25, 2018. GDPR cleans up the complexity of local data protection regulations across Europe. European data protection is therefore ready for a new age that will be defined by terms like cloud, social, Big Data, and cooperation. GDPR affects all enterprises that process the personal data of EU citizens, and also those that do so without having a physical presence in the EU. In the future, organizations will be subject to breach notification within 72 hours, so speed of detection is a key challenge. Plans for data protection breach scenarios must therefore be drafted and a well-structured procedure for technical clearance and handling of supervisory authorities, customers, and media put in place. Firms regularly and extensively engaged in personal data processing must also appoint a data protection officer. A study of Dutch companies in early 2017 by a large audit organization found that a worryingly high percentage of companies are still not ready for GDPR, with many of the companies yet to even start.
Personal Data — Held by All Enterprises
All enterprises hold personal data. This may be customer data, employee data, citizen data, health data, or data for instance that has been collected through IoT applications such as fitness trackers and connected cars. Organizations must be clear about the nature of the personal data they hold, its location, and who has access to it. Even data storage without usage already comes under GDPR.
Focus on Preparations — Serious Consequences in the Event of a Regulation Breach
Enterprises risk high fines (up to 4% of turnover or €20 million) for GDPR breaches. Fines come into force if organizations fail to comply with guidelines — even in the absence of a specific security incident. In addition to fines, enterprises also face reputational damage, for example with compensation payments for customers to retain their loyalty and with declining revenue due to loss of custom. In extreme cases — when organizations reveal major security deficits in their processing of personal data (nature, gravity, and duration) and fail to mend their ways — a definitive ban on processing data may be imposed. This would mean a discontinuation of all business domiciled in the EU. Enterprises banned from using personal data would also no longer be able to pay their staff. Given these possible repercussions, organizations are willing to substantially invest in data protection and data security.
Opportunity for You
Companies are desperate for information and insight on GDPR, and they are asking their suppliers. That means you, and if you don't have a view they'll ask your competitors. In January 2018 IDC Benelux will carry out a survey to assess the current situation with GDPR, the challenges, and the anticipated developments in Benelux, interviewing around 175 decision makers from enterprises with more than 50 employees in the region. Some of the questions that will be addressed are:
- How are enterprises preparing themselves for GDPR coming into force in May 2018?
- What support exactly do enterprises need?
- Which areas are subject to major investments?
- What are the key decision-making criteria when selecting a provider and its solution?
- Which providers do you associate with GDPR and how do you rate them?
The deadline for participation is December 22, 2017. Fieldwork will start in January/February 2018.
We would be happy to discuss the project with you and to outline the benefits for your company. We look forward to talking with you.