In just a few weeks—on May 25—the European Union’s General Data Protection Regulations (GDPR) will go into effect. As is expected with such sweeping change, businesses in the EU and beyond have been scrambling to prepare for the changes the GDPR will bring.
Much of what’s been written about the GDPR has focused on the current state of data privacy and on the GDPR rules themselves—and deservedly so. The GDPR imposes new rules on companies, government agencies, nonprofits, and other organizations that offer goods and services to people in the European Union (EU), or those that collect and process data relating to EU residents. It’s the most important change in data privacy regulation in 20 years, and its scope is much broader than that of the EU-US Privacy Shield.
The enactment of the GDPR affects companies beyond the EU, and will dramatically change business practices in a range of fields—including finance, advertising, sales, human resources, customer service, and more. When the regulations come into effect on May 25, organizations that do not comply will face heavy fines.
But GDPR readiness and compliance are more than just updated technology and revised policies—a critical element that hasn’t received as much attention is the important role employees will play in ensuring companies comply with the regulations.
Consider the GDPR’s six key principles, which organizations will be required to abide by:
- Transparency, fairness and lawfulness in the handling and use of personal data. Organizations must be clear with individuals about how they are using personal data and will also need a “lawful basis” to analyze the data.
- Limiting the processing of personal data to specified, explicit, and legitimate purposes. A company will not be able to reuse or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected.
- Minimizing the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
- Ensuring the accuracy of personal data and enabling it to be erased or corrected. Organizations will need to ensure that the personal data it holds is accurate and can be corrected if errors occur.
- Limiting the storage of personal data. Organizations will need to ensure that they keep personal data only for as long as necessary to achieve the purposes for which they collected the data.
- Ensuring security, integrity and confidentiality of personal data. Companies must work to keep personal data secure with technical and organizational security measures.
Employees are key to compliance with each of these principles. Organizations will have to provide their workers with training and support for new and existing technology and processes related to data and security.
Adhering to these principles will also require culture change—much like the shift companies are experiencing with digital transformation efforts. Not only will employees need to know how to use their tools to ensure compliance, they will also need to understand why compliance is critical.
Organizations that tackle GDPR compliance the same way they have approached digital transformation—with employees at the center—will undoubtedly have a significant advantage over their competitors.