Compliance with new EU data rules requires buy-in at all levels

GDPR compliance does not rest just with IT — it is everyone’s responsibility. Photo credit: iStock/Getty Images Plus

The European Union’s General Data Protection Regulation goes into effect on May 25, 2018. It is a mammoth regulation and perhaps the most significant European data-protection legislation in more than 20 years. In fact, the European Commission just released a new website to help stakeholders, including businesses, with implementation.

With its global reach, applying to any organization that processes the personal data of individuals within the EU regardless of where the data land, GDPR compliance is top-of-mind for executives. Despite U.S.-based multinationals spending millions of dollars and thousands of hours preparing for the GDPR since it was announced two years ago, a recent survey by MediaPro reveals that more than half of U.S. employees have never heard of the regulation.

GDPR compliance does not rest just with IT—it is everyone’s responsibility. Organizations can help their employees comply with the new regulation and protect against breaches by developing a comprehensive communication and training strategy. In fact, the GDPR requires that companies train their workforces on how to handle personal data under the new law.

Mediterranean Resort & Hotel Real Estate Forum

Experience the Opportunities in Mediterranean Resort Investment | 17–19 October 2018

Join 300 of your industry peers at the 4th annual MR&H in Athens, Greece, to experience exclusive investment and development opportunities available in the Mediterranean.

For training to be effective, it should not be limited to an annual off-the-shelf online course. Instead, training should begin at the top of each organization with a demonstrated commitment to creating awareness and a compliant culture, whether through town-hall meetings or other companywide communications. Supplement online training with in-person role-based training tailored to meet each functional area’s unique requirements.

Training, however, is not enough. With privacy by design now mandated by the GDPR, messages about information protection must be integrated throughout the business. This begins with emphasizing the value of information protection in the Code of Conduct and Ethics. Put this language into practice by embedding privacy and security in operational procedures, aligning it to business goals and measuring it regularly. Encourage employees to champion information protection by inviting them to the conversation.

With May 25 just around the corner and 59 percent of U.S. employees reporting they know little to nothing about GDPR, there is still much more work to be done in creating employee awareness. And with fines of up to 4 percent of annual global revenues or €20 million (whichever is greater) for noncompliance, lack of awareness could prove to be costly.

Melissa Dials is Of Counsel in the Cleveland office of Fisher Phillips.