Getting Ready for GDPR Compliance Around the World
What Do You Need to Know Before GDPR Takes Effect?
Robin Tatam: Hey guys, it's Robin here with HelpSystems. Today it is my distinct honor to be joined by Donnie MacColl who is a HelpSystems team member out our UK offices. Donnie's here today so I thought it would be a good opportunity just to visit briefly about a topic that I think has become near and dear to your heart whether you want to or not.
Donnie MacColl: Absolutely.
Robin: And that's GDPR compliance. So why don't we start, Donnie, with a very high level overview. What is GDPR?
Donnie: Absolutely, Robin. So, the GDPR is something that I've spent the last year almost exclusively working on. I'm geekily pleased about it. It's a very exciting law that's come in that affects all European residents and it affects every company that deals with European residents. The whole idea of the new law is to make sure that personal data that anybody uses, processes, or stores is looked after very, very properly. So, it's about time that we had something like that to replace the Data Protection Act. It's been around for a long time and this just to make sure that our personal data is really looked after well.
Robin: So, you mentioned law a couple times. What's the difference between this and what's been in place before? Because I thinks all of us are used to dealing with regulations today. What's the big difference with GDPR?
Donnie: So, the big difference is that there's a current act, the Data Protection Act. And various other acts throughout European countries to make sure the personal data that companies use is looked after to quite a good manner. Now at the moment, it's just an act, so it's a directive as we refer it too. So we said, it's a set of rules and companies that use personal data have to use the set of rules and take a certain direction, but it's a bit loose. It's not uniform. Companies and countries take different methods of ensuring that data is protected. That's been around since 1995. Now the way that data was stored and processed and the amount of it has changed massively since then. There's now a law from May this year. There's a law that says, "It's not a direction, this is a set of rules you must comply with." It's to make the way that we store personal data and handle it are uniform across the European Union.
Robin: So, what happens if we don't? What are the penalties?
Robin: Because I know that some of the discussion on GDPR is impact that I think a lot of people are going to feel if there is a problem.
Donnie MacColl: Yeah, so then that's changed massively. And now it is cut and dry because it is a law. What's changed is at the moment and the existing Act, if you have a data breach you can be fined, and you could be fined at the moment up to 500,000 pound, British pounds. That's the maximum you can be fined. Now you can be fined up to four percent of your global annual turnover or 20 million euros, whichever is highest.
Donnie: So a good example will be a company that as fined earlier this year, was fined earlier this year, was fined 250,000 pound. If we fast forward to May this year for exactly the same data breach, they would have been fined 1.9 billion pound.
Donnie: So it's very much a strong force to . . .
Robin: It will be interesting to see who falls victim to that and whether they’re going to be looking for an example to hold people to. That will be quite dramatic. So obviously we're here in the U.S., or I am. And I'm not hearing a lot of discussion around GDPR. Is this something that people be able to say, "You know what? That's a European construct, that's not a mandate that I have deal with; fortunately we don't have anything like that here." Is there some impact to us here in the U.S.?
Donnie: There's a huge impact. A huge impact to here in the U.S. and in fact any country that deals with any European residents. And that's where there's been not really a massive uptake or realization that there's so much work to do. So the example being that we within HelpSystems, we now ourselves . . . Although I'm based in the UK, I'm employed by an American company. And my personal data is transferred from the UK quite rightly to my American headquarters. Now that means anybody here has to comply with the GDPR and all the rules that go with that as well. So anybody anywhere in the world that deals with even one European resident and stores their personal data has to comply with the GDPR.
Robin: I think the other interesting part of that too is that if anyone is supplying products or services to organizations that are in essence testifying to the fact that they are GDPR compliant, bear in mind that those folks are going to want to work with customers or with their own partners that are also going to be able to manage that as well. So, I think there is a supply chain impact as well, where large distributors or business partners are going to insist on that, otherwise they're going to go other partners that are also GDPR compliant, so that they can attest to their whole supply chain. So I think that will have a dramatic impact as well.
Donnie: I agree with you Robin. I think what you'll see rapidly accelerate here in the U.S. is companies asking you to prove that you are GDPR compliant. And making that as part of your contract they have with those companies.
Robin: Yep, and being GDPR compliant is quite complex. So what are we doing to help people?
Donnie: Yeah, so strategically HelpSystems makes it very easy to go along the GDPR compliance journey. So for example the approach we've been taking with companies is to say, "The most important aspect of the GDPR is personal data." What we're doing is working from the inside out. We're saying, "The most important part is the data. That data can be stored in any operating system, any platform, we have solutions that can make sure that the data is secure."
If you want to be really secure, you can encrypt it. We can then make sure we've got role-based access using some of our solutions. So that any of the correct people with the correct access at the correct time can see that. That we can do that as well.
We can prevent people getting in in the first place. A really great aspect of HelpSystems solutions that we're delivering to companies now is the fact that they are auditable as well. And that's also part of the GDPR. You have to prove that you have technological solutions in place to make sure the data is secure. And to prove it, you have to have an audit trail. And that also becomes part of the data they have to have secured as well.
So HelpSystems is in a really good place to help companies. We've been doing that for the last ... Well almost a year now. And we've that accelerate really since January this year. It's rapid.
Robin: It's certainly getting on people's radar. So what are the deadlines? What are we working towards here? If you are an organization in Europe or working with those like we've talked about. What is my timeframe that I'm looking at?
Donnie: So the timeframe is the 25th of May 2018 you have to be GDPR compliant. Now you mentioned earlier Robin it'd been interesting to see if there is any early fines that come out. I think there will be and the reason for that is the GDPR is here now. It's been around for almost two years and it's enforceable from May 2018.
Donnie: And all the indications are that there will be no grace period.
Robin: Yeah, I've heard about it-
Donnie: You have had two years to get ready.
Donnie: If you haven't bothered to listen . . .
Donnie: And you'll feel the force ... I think there will be some early fines. I think as early as June this year there will fines.
Robin: Yeah, yeah.Interesting, so if you are in this category. Reach out to use here, we can certainly get you hooked up with Donnie or any of our other GDPR experts and we'll be happy to help you secure your data and understand GDPR better. Donnie, thank you. Always a pleasure.
Donnie: You're welcome.
Robin: Thanks guys, see you next time.
Get a free 30-minute consultation with the GDPR experts at HelpSystems to find out how you can get on track to meet GDPR's May 2018 deadline.