General Data Protection Regulation (GDPR) is the most prescriptive global data protection law regulating enterprises that process personal data of European Union (EU) residents. The primary goal of the regulation is to provide a set of standardized data protection laws to make it easier for EU residents to understand how their personal data is being used and allow them to raise complaints, even if they do not reside in the country where the violation occurred.
The EU adopted GDPR two years ago to provide enhanced privacy and data protections for its citizens, and effective May 25, 2018, any organization inside or outside the EU that stores, processes or touches personal data of EU residents is subject to GDPR. Potential fines for non-compliance are administered by individual member state Supervisory Authorities, and can be massive (i.e., up to 20 million Euros ($23.5 million USD), or 4 percent of the company’s worldwide annual revenue).
Many manufacturing companies have been working diligently to become more customer-centric by gathering and analyzing data on the consumers of their products. Accordingly, manufacturers have been consuming more and more data as part of these Big Data initiatives. GDPR allows manufacturers to continue obtaining, retaining and analyzing personal data, but only if consent has been obtained from the individual. Manufacturers are also on the hook for implementing appropriate cyber measures to protect this data as well.
It may appear feasible for US manufacturers to largely ignore GDPR since its requirements apply only to EU citizens and companies deemed to be doing business in the EU. However, Facebook’s recent Cambridge Analytica debacle, where a political data firm inappropriately utilized over 50 million Facebook accounts, may dramatically speed up the arrival of similar privacy regulations here in the US. Even if your company is not yet subject to GDPR, UHY experts believe it won’t be long before similar onerous privacy legislation arrives in the US.
If you collect personal data and are not complying with GDPR, you are exposed.
What are the GDPR requirements?
Under the GDPR, organizations must:
Is your organization prepared?
The GDPR is a complex regulation with severe penalties for non-compliance. Since the deadline to comply has passed, there is an immediate and urgent need for organizations to review and adjust their data privacy and protection programs. To build an effective GDPR roadmap, ask the following questions of your organization:
Tackling GDPR requires the right combination of modifications to business processes and supporting technology. There is much to gain from
building an effective GDPR roadmap, but where do you start?
PERFORM A READINESS ASSESSMENT
Conduct one-on-one interview with key stakeholders such as the Chief Technology Officer, Chief Risk Officer, Chief Information Officer and Chief Marketing Officer to review all GDPR compliance plans and documentation to assess the readiness of your organization for the GDPR. Since awareness of GDPR is often limited in manufacturing organizations, it is important to educate the entire senior leadership team on GDPR’s requirements.
DESIGN AN ACTION PLAN
A thorough action plan should include conducting a PIA, creating a data map for your organization and designing a data breach notification procedure. Conducting a PIA to identify and evaluate your organization’s privacy risks can empower you to build an action plan to remediate your GDPR compliance gaps. Creating a data map for your organization helps to understand what kind of data you’re storing, who has access to it, and where your data lives across your organization. Finally, designing a data breach notification procedure enables your data protection officer to successfully engage with authorities and notify affected data owners in under 72 hours.
IMPLEMENT YOUR ROADMAP
Manufacturers have ramped up their data collection efforts in the past decade. Work with your key stakeholders to implement your newly designed GDPR roadmap to ensure that data is protected, governed, managed and utilized effectively in line with your organization’s strategy. This is where privacy by design can help reduce unnecessary data and privacy risk throughout the data lifecycle.
To sustain compliance, develop and facilitate training and formal reporting procedures to ensure continuous compliance and data accountability. It is strongly recommended that your organization perform bi-annual audits and monitor your system and processes to have an always up-to-date understanding of your privacy risk.
Although personal privacy has been an important topic in the EU since the 1990s, privacy has not been a priority for most US-based businesses, especially manufacturers. Accordingly, GDPR represents a new set of requirements that many manufacturers in the US have never dealt with before. Manufacturing companies can create a competitive advantage and save a lot of headache regarding fines if they address data privacy requirements in their businesses now.