The EU’s General Data Protective Regulation (“GDPR”) goes into effect on May 25, 2018. It is a mammoth regulation and perhaps the most significant European data protection legislation in more than 20 years. In fact, the European Commission just released a new website to help stakeholders, including businesses, with implementation. With its global reach, applying to any organization that processes the personal data of individuals within the EU regardless of where the data lands, GDPR compliance is top-of-mind for executives of multinationals. Despite U.S.-based multinationals spending millions of dollars and thousands of hours preparing for GDPR since it was announced two years ago, a recent survey by MediaPro reveals that more than half of U.S. employees have never heard of the regulation.
GDPR compliance does not rest just with IT – it is everyone’s responsibility. Organizations can help their employees comply with the new regulation and protect against breaches by developing a comprehensive communication and training strategy. In fact, the GDPR requires that companies train their workforces on how to handle personal data under the new law. For training to be effective, it should not be limited to an annual off-the-shelf online course. Instead, training should begin at the top of each organization with a demonstrated commitment to creating awareness and a compliant culture, whether through townhalls or other company-wide communications. Supplement online training with in-person role-based training tailored to meet each functional area’s unique requirements.
Training, however, is not enough. With Privacy by Design now mandated by the GDPR, messages about information protection must be integrated throughout the business. This begins with emphasizing the value of information protection in the Code of Conduct and Ethics. Put this language into practice by embedding privacy and security in operational procedures, aligning it to business goals, and measuring it regularly. Encourage employees to champion information protection by inviting them to the conversation.
With May 25th just around the corner and 59% of U.S. employees reporting they know little to nothing about GDPR, there is still much more work to be done in creating employee awareness. And with fines of up to 4% of annual global revenues or €20 Million (whichever is greater) for non-compliance, lack of awareness could prove to be costly. Organizations with any questions about the applicability of the GDPR to their activities or how to prepare should contact their regular Fisher Phillips attorney or any of the attorneys in our Data Security and Workplace Privacy Group.