The GDPR enforcement date has passed and, as you might have already heard, well-known companies are feeling the impact of not being fully prepared. These companies are facing potentially significant costs from lawsuits, fines, and from having to speed up the development and deployment of their GDPR compliance strategies.
Data protection has also gone global. Governments around the world, including Canada and Australia, have already released regulations similar to GDPR to better protect their citizens’ data privacy and security. Numerous experts predict that in coming years laws resembling the GDPR will be established outside the EU.
To review, penalties for non-compliance jointly apply to both Data Controllers and Data Processors, as both roles have responsibilities under GDPR. Infringements under GDPR carry administrative fines of up to €20 million or four percent of total yearly worldwide revenue, whichever is higher. Furthermore, there could be individual lawsuits, class-action lawsuits, and personal liability claims against your organization. There are also business costs and impacts, from reputation damage, which could lead to lost business, to competitors who have better prepared themselves for GDPR.
It is difficult to say exactly how GDPR non-compliance will impact your organization. The specific consequences depend on:
- The size and risk categorization of the impacted personal data
- How long the infringement endured
- How many individuals were affected and the level of impact on EU individuals
- Repeated, negligent, or reckless mismanagement of data showing trends of data irresponsibility to comply with the regulation
Some violations can be deemed lower level, such as Article 32—security of processing, or upper level such as Article 7—right to consent, Article 16—the right to rectification, Article 17—right to erasure, and Article 20—right to data portability. These specific GDPR articles are grouped under each of these violation categories as you can see here:
- End-User Empowerment—Companies must implement processes to support end-user empowerment of their Data Subject's own data. End users should have transparency into how their data is stored and how they can opt out.
- Consent Management—How and where did your company obtain consent to store and process a Data Subject's data? For how long was that consent granted?
- Additional Roles—Companies have to prove they are handling data correctly, meaning increased monitoring and documentation. Some, particularly larger companies, will hire data protection officers to handle GDPR compliance. Additionally, personnel in the legal and technology sectors such as lawyers, data experts, and programmers are in high demand as companies seek to gain and maintain GDPR compliance.
After speaking with a lot of customers and others in the industry about GDPR our team has defined four key areas of GDPR compliance for Salesforce Backups that we see companies struggling with in their GDPR compliance strategies:
- Transparency;
- Data Subject Access Requests;
- Backup retention; and
- Immutable backups.
Download The GDPR and Your Salesforce Backups eBook for more on these key compliance areas and helpful guidance on steering your organization towards GDPR compliance.
In case you missed it, download the post-GDPR webinar recording, GDPR Compliance in the Post Enforcement Period.
