90% of Companies Unprepared for GDPR Deadline

A flash poll conducted by Baker Tilly Virchow Krause, LLP (Baker Tilly) has revealed an astounding 90 percent of organizations don’t have the necessary protocols in place to be compliant with the General Data Protection Regulation’s (GDPR) as the May 25, 2018 deadline fast approaches.

Not Prepared for the GDPR? You’re Far From Alone

Although large corporations are getting the lion’s share of the attention when it comes to GDPR, the ruling affects any size company with an internet presence offering European Union (EU) residents a service. And with the penalties being so severe, businesses shouldn’t wait so close to the implementation date to comply.

Small businesses selling goods and services in the EU or interacting with their customers in other forms online have to be ready. As long as your business is collecting, processing, using and storing personal data that originated in the EU, you fall under the umbrella of the new GDPR regulations. And you will not be exempted because of your location, company size, or business type. If you don’t comply, there is a price to pay.

The fines can go as high as four percent of annual global revenue or €20 million (over $24 million), whichever is greater. Individuals who suffer damages can also take legal action by suing the data controller, processor or both as well as anyone in the supply chain.

David Ross, partner with Baker Tilly’s cybersecurity and privacy practice, said in the press release, “… organizations need to implement proactive, risk-based monitoring and compliance measures as part of a comprehensive cybersecurity and privacy program.”

Getting Ready

Getting ready means understanding what GDPR is and knowing the data it covers. It governs the personal data of individuals originating in the EU including citizens, residents, and visitors along with EU citizens living outside of the union.

The data it covers are basic identity, web, health and genetic, biometric, mental, cultural, economic, and social and political identity.

According to Baker Tilly, your organization can be liable under GDPR if you have a presence in the EU, your customers are there, use EU suppliers and vendors, have a data related business, carry marketing efforts in the EU, and your employees, investors or customers are EU citizens.

The company has posted a recent webinar titled, “GDPR: Is your organization ready?” You can watch the on-demand recording here to see what steps your business should take to comply with the regulation.

You can also get all the information about the GDPR from the official EU website here. The Information Commissioner’s Office of the UK has also posted a document (PDF) with 12 steps you can take to prepare your business.

Data Protection

The goal of the GDPR is to protect the data of individuals. The Facebook/Cambridge Analytica revelation pointed out major flaws on how personal data is readily made available to third parties. The regulation forces anyone in possession of said data to do all they can to protect it.

As Mike Vanderbilt, director with Baker Tilly’s cybersecurity and privacy practice, said, “Having well-documented privacy policies and procedures coupled with a documented privacy program overall demonstrates the organization is actively engaged in ensuring compliance in case of GDPR oversight review.”

You can take a look at the Baker Tilly GDPR primer infographic below to get you up and running.