The General Data Protection Regulation (GDPR) has already had a major impact on businesses since it was implemented in Europe May 25, and there are several steps that organizations can take to make certain they’re in compliance with it, according to Box compliance and product managers.
“When we look at the impact that GDPR is having, one thing is for sure: The impact is quite significant,” Vaishnav Gorur, senior product marketing manager at Box, said Dec. 18 during a webinar called “How to Accelerate Your GDPR Readiness.”
That impact has come in three main areas, he noted: “the increased scrutiny that organizations are being put under”; increased complexity, risk and accountability for people and the companies they work for; and potential loss of both significant amounts of money from “hefty fines” and the reputations of organizations found to be non-compliant. After all, companies found to be non-compliant face fines of up to 20 million pounds or 4% of their global revenue (whichever is higher).
The number of complaints that the Information Commissioner’s Office (ICO) in the U.K. received in the months following the GDPR’s implementation were double from the same period last year, Gorur said, pointing out ICO is the regulatory body that enforces GDPR and other data protection regulations in Europe. “The more the complaints, the higher scrutiny and higher the number of resulting investigations and audits,” he said, adding we can “expect these to increase going forward.”
Although organizations had a “two-year grace period to comply with the GDPR, many weren’t ready,” he pointed out. As an example, more than 1,000 U.S. web sites of mostly news and other media organizations “denied access to patrons” from the European Union and “took a significant hit to their business rather than being non-compliant,” he said. So “business is definitely being affected” already by GDPR – and they’re being impacted on a global basis, not just in Europe, he noted.
“After a few quiet months,” the ICO in September issued the first official GDPR notice to Canadian technology company AggregateIQ, he pointed out, predicting fines will be hefty and more frequent in the future.
Organizations should work with Box and other vendors that can help them achieve GDPR compliance, Argin Wong, senior manager of compliance and data privacy at Box, went on to say. And there are still plenty of organizations that can use that kind of assistance because, according to a recent TrustARC survey, 80% of companies said they were still in the early stages of planning and initial implementation, Box said.
ICO and other data protection authorities have reviewed Box’s privacy and data protection practices and agreed that the company has met requirements that include adherence to Binding Corporate Rules, Wong said. That makes it “well-suited to help customers prepare” for GDPR, according to Box.
Significant GDPR rules that Box complies with include Article 32, which mandates the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, Wong noted. Article 32 also mandates the encryption of personal data and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, according to Box.
Box Zones, meanwhile, address data residency and privacy concerns and Box Governance ensures proper retention, deletion and archiving of business content, according to the company.