And awards/grants/scholarships programs need to comply
Etch it into your mind— 25 May 2018. This is the day the GDPR (General Data Protection Regulation) comes into effect and it will affect everyone, not just companies/organisations based in the European Union.
If this is the first time you have heard of the GDPR, sit up and listen because you still have time to do something about it and ignoring it (no matter where in the world you are) could have some pretty dramatic consequences.
If you don’t know about the GDPR yet here is a broad overview:
The General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU. With the primary objective of the GDPR: to give back control of personal data, to individual EU citizens.
Any company around the world that handles the personal data of EU residents will need to comply with the new requirements or be subject to some heavy punishment.
This is the largest change to data protection laws in the last 20 years and you have less than 100 days to get ready.
What are the consequences of non-compliance?
There are big fines for non-compliance. Under the GDPR the largest fine which can be given is €20,000,000 or 4% of global revenues! Whichever is highest.
If a breach occurs, under the GDPR, organisations have a responsibility to report it to the relevant supervisory authority within 72-hours, failure to do so is considered a breach of the regulation and can be penalised with an additional fine of €10,000,000 or 2% of global revenue!
These fines are serious and for many organisations, killers. Can your organisation/business survive a fine of this magnitude?
What can you do right now?
There is a lot to do but if you are only starting down the GDPR path now, this is what we would do:
1. Get up to speed
You need to set aside some time to investigate GDPR as soon as possible.
2. Carry out an information audit
Look at how your organisation collects and uses information. Where is data collected and stored? Who's able to access this data? What security measures do you currently have in place?
3. Raise awareness within your organisation
Most employees will have a connection to personal data the organisation holds and processes. Be sure they understand the coming changes and the impact this could have on business. Make sure senior management is engaged in the process.
4. Review your privacy policies and statements
Look at what you currently tell users about how you use their data, and assess how far this goes to complying with the GDPR. Dig deep into your terms and conditions and privacy policies and ensure they are in line with the GDPR.
5. Assess your policies and procedures
Just ask yourself: "What would I do if someone wants to know what information my company has about them?" You need a process to handle and manage what could be an influx of requests. At the very least, you’ll be prepared.
The Information Commissioner's Office in the United Kingdom has provided basic guidance for organisations outlining 12 steps organisations should take now. Find the full list here
Ensure your software partners are compliant
If you are an Award Force client, you have hopefully heard us talk about GDPR already, the steps we are taking to being in-line with the law and the confidence we’ll be ready for GDPR come May 2018. Read more here.
We urge you to ensure you and your other software partners are doing the same.
If you are not an Award Force client, yet, and use other software for managing your awards / grants / scholarships program; a manual paper-based system; or have a custom system your organisation built itself, there is no better time than right now to start reviewing your options to ensure your compliance.
In the end, the GDPR is a good thing and Award Force supports any efforts to protect the privacy AND security of people around the world. It may not be a nice thing to have to deal with right now— but it is the right thing to do.