The directive on data protection will be the nightmare of 2018
Individuals increase their rights, including that of oblivion. However, Institut Forrester expects that 80% of companies will not be compliant with the European directive on the protection of personal data (GDPR) by next May 25. With a wait-and-see attitude at the moment, companies risk to be panicking at the beginning of the year.
Companies which aren’t ready on the day are at risk of being fined the equivalent of up to 4% of their global turnover. A potentially dramatic amount.
The European directive, the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, grants more rights to individuals, including the right to oblivion; however, for companies, it’s a headache.
Companies will have to ensure informed consent on the part of individuals about the collection and the processing of their data; consent which they must be able to collect and prove, Les Echos explain. Data should be retained as long as necessary and access, modification, recovery as well as deletion at the request of the individuals concerned should be guaranteed, adds the daily paper.
Companies will also ensure that data is secure at all times and in all places, and they will have to be able to show at all times the measures and procedures used to this end. This will be more stressful than the Millenium bug!
Sanctions for Non-Compliance
Eric Krzyzosiak, Executive Director of SGS’s digital services, said, during the investor day of the Geneva group, that 75% of SMEs are not ready for the GDPR.
The regulation affects all companies having customer relations in the European Union. A drama about to unfold: in its forecast for 2018, the research company Forrester expects that 80% of companies will not be compliant.
The attempt to escape through the net of this Act envisioned initially by Germany is still a common attitude. However, the authorities of the different countries are sending unambiguous signals. They firmly intend to punish non-compliant companies, for example including those who are unable to prove their good faith.
According to our information, there is no panic (yet), but it will spread at the latest in February. The directive is an opportunity for some IT advice and consulting groups and cyber security specialists, but it’s a nightmare for institutions and businesses, especially of small and medium-size. The cost of the investments is significant for everybody. Société Générale, which has just appointed a Data Protection Officer (Antoine Pichot), states that this compliance exercise will cost “a few tens of million euros”. According to SGS, this directive is an opportunity amounting to 3.5 billion euros for the computer services industry.
The End of “Silence is Consent”
For private individuals, the GDPR adds to the existing rights that of oblivion, as well as a totally new approach on consent. The consent must arise from a positive action. “Silence is consent” will not be GDPR compliant, explains media specialist Usine digitale.
Customer relationships need to be professionalised. The majority of companies do not know who owns the data and where it is stored. Knowing where the data is, who is holding it, how to find it quickly and securely are keys aspects of the GDPR, states CIO-online’s newsletter.
The situation is far from optimal: 15% of surveyed decision makers, working in companies of more than 1000 employees, do not even know how much personal data are collected by their business every day, according to a study conducted by OnePoll for Citrix, and quoted by CIO-online.
In large companies, 8% do not know how long data is kept, 9% don’t know on what systems. According to this survey, the companies surveyed use an average of twenty-two different management and storage systems for their data, 18% of them go through over 40 different systems.
Forget about it and keep all client records?
In 54% of the cases, companies store client data with third parties. They share them on average with 40 different providers. Finally, 10% of large companies are unaware of how much time and on how many different systems their data is stored.
GDPR is probably the most important change in the rules on protection of privacy for two decades, wrote Le Journal du Net. Legislation however will probably be a bit conflicting, it adds. On the one hand, the right to oblivion is introduced, but on the other hand the company must keep all traces of the contractual relationship with a client.
source: Le Temps