What are the GDPR Rules for Recording Calls?

Many companies record telephone calls for ‘quality and training purposes’ and to help resolve customer disputes, but since May 25, 2018 GDPR Rules for recording calls must be followed.

GDPR Rules for Recording Calls

Any company, regardless of its location, must comply with GDPR Rules for recording calls if the company has dealings with EU residents.

Call recording can continue under GDPR, as recording telephone conversations is not prohibited, but there are now additional requirements to protect the rights and freedoms of data subjects under GDPR. As with the use of cookies on websites and other forms of data collection, it can only take place if the data subject gives their consent (GDPR Article 7).

Previously, in order to comply with existing regulations, companies would advise people that the calls may be recorded for a particular purpose and consent was obtained when the customer continued with the telephone call. The customer’s silence or lack of action was taken to mean that consent was being provided. However, GDPR Rules for recording telephone calls require consent to be provided by an affirmative action. Silence or inactivity is no longer sufficient.

An unambiguous action is now required, such as pressing a specific key on the telephone or providing verbal consent. A recording of consent should be retained by the company.

GDPR Rules for recording calls involve more than consent. The recording of telephone conversations is only possible if there is a valid and legal reason for that information to be collected.

For all companies, at least one of the following criteria must be met in addition to obtaining consent:

  • Recording is required to comply with a contract
  • Recording is required to satisfy legal requirements
  • Recording is required to protect the interests of one or more participants
  • Recording of calls is necessary for safety or is in the public interest
  • Recording is in the legitimate interests of the recorder, provided those interests are not overwritten by the interests of the participants in the calls.

Other GDPR Rules for recording calls are detailed below:

Data Protection Requirements

As with all other forms of data collection, call recordings must be stored securely and appropriate security controls applied to prevent stored call data from being accessed by unauthorized individuals. Organizations must conduct a risk analysis to determine the level of risk involved, and apply policies, physical, and technical safeguards to reduce risk to an acceptable level.

Data Retention Rules

Article 5 (e) of the GDPR explains that data can only be retained for the length of time that it is required to fulfil the purpose for which the data were collected. Recital 30 of the GDPR requires time limits to be applied for how long data can be retained. When call recordings are no longer required, data must be disposed of securely.

Right to Access Personal Data

Data subjects have the right to access their personal data (GDPR Article 15), which extends to recordings of telephone calls. If a request is received from a data subject to access their personal data, it is necessary to comply with that request within 30 days. A company must therefore have the ability to be able to search for call recordings and provide copies as necessary.

Right to be Forgotten

A mechanism must be implemented that allows all personal data of an EU subject to be deleted if a request to do so is received from a data subject (GDPR Article 17). When an EU resident exercises their right to be forgotten, all data – including call recordings – must also be deleted, provided that the deletion of such information does not violate state or federal laws and the data are no longer necessary for the purpose for which the information was originally collected. The right to erasure similarly doesn’t apply for the establishment, exercise or defense of legal claims, for archiving purposes in the public interest, or to exercise the right of freedom of expression and information.

If GDPR Rules for recording calls are not followed, stiff financial penalties can be issued. The maximum fine is €20 million or 4% of global annual turnover, whichever is the greater.

The post What are the GDPR Rules for Recording Calls? appeared first on HIPAA Journal.

A Third of Healthcare Organizations Expected to Miss GDPR Deadline

Healthcare organizations that treat patients from the EU or target EU residents and collect their data are required to comply with the EU’s General Data Protection Regulation.

The EU regulation came into force on May 25, 2018. Any healthcare organization that is required to comply with GDPR and fails to do so faces a substantial financial penalty for noncompliance.

The fines for noncompliance with GDPR are far in excess of those for HIPAA violations. The maximum penalty for a HIPAA violation is $1.5 million per violation category, per year. The fine for noncompliance with GDPR is up to €20 million ($23 million) or 4% of global annual turnover, whichever is the greater.

The final text of GDPR was adopted on April 14, 2016, giving all entities more than two years to implement the appropriate privacy and security controls and develop policies and procedures in line with GDPR. Even so, many organizations put GDPR compliance on the back burner until 2018 and have run out of time. Many organizations in the United States are still on the road to compliance even though the deadline has passed.

A survey conducted by Netsparker in the fall of 2017 revealed 14% of healthcare organizations surveyed had only achieved a quarter of what was necessary to comply with GDPR requirements, and 7% were only minimally aware of what was required. A survey conducted by Clearswift in October suggested healthcare was the least likely industry to be prepared for GDPR.

How Have Healthcare Organizations Fared with Their GDPR Compliance Efforts?

Recent data on the state of healthcare industry GDPR compliance are limited, although a survey conducted by Harvey Nash and KPMG provides some insight into how healthcare organizations have fared with their compliance efforts. The survey was conducted between December 20, 2017 and April 3, 2018 on 3,958 IT leaders from a wide range of industries.

In North America, 59% of companies had completed or mostly completed their GDPR compliance efforts ahead of the May 25, 2018 deadline, with 40% of companies reporting that they still expected to be on the road to compliance by the time GDPR came into effect.

Healthcare organizations fared better than average, with 67% saying they were already in compliance with GDPR or were mostly compliant, broken down as 14% compliant and 53% mostly compliant. However, a third of healthcare companies (33%) said they would still be on the road to compliance by the May 25 deadline.

The survey also revealed that 40% of healthcare companies did not have a clear digital business vision and strategy, although 35% of were currently working on one. 13% of healthcare firms said they were not well prepared to deal with cyberattacks, which could see them experience problems complying with GDPR reporting requirements. Under HIPAA, healthcare organizations have up to 60 days to report security breaches involving PHI. GDPR requires reports of breaches of personal data to be issued within 72 hours of the discovery of a breach.

The Privacy Rule requires healthcare organizations to respond to patients requests for copies of their data within 30 days, the same time frame as required by GDPR. However, in contrast to HIPAA, GDPR requires copies of all personal information to be provided, not just a limited data set. That requirement could well prove problematic if healthcare organizations have not performed a full audit to determine where all copies of data are located. The same applies to honoring requests to have all data erased when consent to process and store data is revoked.

The time that organizations have had to devote to compliance has been considerable and compliance has come at great cost, although far less than the potential fines for noncompliance. Fortunately for many healthcare companies, IT budget increases will have helped cover the cost of compliance. 49% of healthcare firms have increased their IT budgets in 2018. For the 51% of healthcare organizations with static budgets or budget cutbacks, compliance will have been a major struggle.

The post A Third of Healthcare Organizations Expected to Miss GDPR Deadline appeared first on HIPAA Journal.

Rights of Data Subjects Under GDPR

What are the rights of data subjects under GDPR? Find out more about what GDPR means to data subjects, data controllers, and data processors.

The EU’s General Data Protection Regulation (GDPR) came into force on May 25, 2018. The main purposes of the directive are to ensure data protection laws are standardized across all member states and to expand the rights of data subjects. Under GDPR, data subjects have greater control over who collects their data, how the information is used, and for how long.

GDPR: Rights of Data Subjects

The rights of data subjects under GDPR are detailed in Chapter 3 – Articles 12 to 23. There are eight fundamental rights under GDPR.

1.      Right to Access Personal Data

Under GDPR, data subjects have the right to access the data collected on them by a data controller. The data controller must respond to that request within 30 days (Article 15).

2.      Right to Rectification

Data subjects have the right to request modification of their data, including the correction or errors and the updating of incomplete information (Article 16).

3.      Right to Erasure

The right to erasure – also referred to as the right to deletion or the right to be forgotten – allows a data subject to stop all processing of their data and request their personal data be erased (Article 17).

4.      Right to Restrict Data Processing

Data subjects, under certain circumstances, can request that all processing of their personal data be stopped (Article 18).

5.      Right to be Notified

Data subjects must be informed about the uses of their personal data in a clear manner and be told the actions that can be taken if they feel their rights are being impeded. Data subjects must also be informed of any rectification or erasure of their personal data under articles 16, 17, and 18 (Article 19).

6.      Right to Data Portability

A data subject can request that their personal data file be sent electronically to a third party. Data must be provided in a commonly used, machine readable format, if doing so is technically feasible (Article 20).

7.      Right to Object

If a request to stop data processing is rejected by a data controller, the data subject has the right to object to their Article 18 right being denied (Article 21).

8.      Right to Reject Automated Individual Decision-Making

Data subjects have the right to refuse the automated processing of their personal data to make decisions about them if that significantly affects the data subject or produces legal effects – profiling for example (Article 22).

Rights of Data Subjects under GDPR are Not Absolute

There is a common misconception that the rights of data subjects under GDPR are absolute, and under no circumstances can those rights be lost. While it is true that data subjects have the above rights under GDPR, in certain situations those rights cannot be granted.

For example, the right to restrict data processing does not apply is when data are processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences. The same applies to the processing of personal data in the prevention of threats to public security.

Data subjects have the right to access their personal data file, although not if that access adversely affects the rights and freedoms of others.

While data controllers must be aware of the rights of data subjects, they should also be aware of the circumstances under which those rights can be denied, and when charges can be applied for granting data subjects’ rights.

The post Rights of Data Subjects Under GDPR appeared first on HIPAA Journal.

What is GDPR Special Category Data?

Under GDPR, companies have obligations regarding the personal data of data subjects, but there is also a separate category of data that is treated differently – GDPR special category data.

What is GDPR special category data and how do the rules differ for processing that information.

GDPR Special Category Data

GDPR special category data is personal information of data subjects that is especially sensitive, the exposure of which could significantly impact the rights and freedoms of data subjects and potentially be used against them for unlawful discrimination.

GDPR special category data includes the following information:

  • Race and ethnic origin
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union memberships
  • Biometric data used to identify an individual
  • Genetic data
  • Health data
  • Data related to sexual preferences, sex life, and/or sexual orientation

Because these data elements are particularly sensitive, a company must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. Companies are prohibited from collecting or processing these data unless:

  • Explicit consent has been obtained from the data subject; or,
  • Processing is necessary in order to carry out obligations and exercise specific rights of the data controller for reasons related to employment, social security, and social protection; or,
  • Processing is necessary to protect the vital interests of data subjects where individuals are physically or legally incapable of giving consent; or,
  • Processing is necessary for the establishment, exercise, or defence of legal claims, for reasons of substantial public interest, or reasons of public interest in the area of public health; or,
  • For purposes of preventive or occupational medicine; or,
  • Processing is necessary for archiving purposes in the public interest, scientific, historical research, or statistical purposes; or,
  • Processing relates to personal data which are manifestly made public by the data subject; or,
  • Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

The processing of all personal data must only occur if there is a lawful reason for using the information, as detailed in Article 6 of the GDPR. Any company that needs to process special category data must check the requirements laid down in Article 9 of GDPR. Personal data related to criminal convictions and offenses are also particularly sensitive and dealt with separately in Article 10 of GDPR.

If special category data are collected, stored, processed, or transmitted data controllers must ensure that additional protections are put in place to ensure that information is appropriately safeguarded.

The GDPR Compliance Date has Now Passed

The compliance data for the General Data Protection Regulation (GDPR) has now passed and companies are required to comply with all GDPR regulations. There are stiff financial penalties now applicable for any company that is not in compliance with GDPR.

To avoid financial penalties, ensure that appropriate resources are devoted to your GDPR compliance program and you are documenting your compliance efforts and can demonstrate to regulators that you are in the process of complying with the GDPR.

The post What is GDPR Special Category Data? appeared first on HIPAA Journal.

The GDPR Right to Object Explained

Under the General Data Protection Regulation (GDPR), data subjects can object to certain uses of their data, but what exactly is the GDPR right to object, what can data subjects legitimately object to, and what must companies do when an objection is received from a data subject?

The GDPR Right to Object

The GDPR right to object is detailed in Article 21 of the GDPR. From May 25, 2018 – the compliance date for the GDPR – businesses must have developed policies and procedures for dealing with objections from data subjects.

The GDPR right to object allows data subjects to object to certain types of data processing and stop a company from continuing to process their personal data. There are only certain situations when a legitimate right to object can be sent to a company.

These are:

  1. Direct marketing
  2. The processing of personal data for statistical purposes related to historical or scientific research
  3. The processing of data for tasks in the public interest
  4. The exercising of official authority invested in you
  5. Objections to data processing in yours or a third party’s legitimate interest
  6. Objections to data processing based on their own beliefs and situations

Individuals must be informed of the GDPR right to object at the first point of contact. They must be told they have a right to object to the processing of their data, the lawful basis for you processing their personal data, and when data are being processed for public tasks, legitimate interests, or for research or statistical purposes.

Data subjects should be allowed to make objections verbally or in writing. While not all objections will be valid, individuals do have an absolute right to stop their personal data from being used for direct marketing.

Responding to Objections from Data Subjects

All companies covered by the GDPR must develop policies and procedures for assessing objections from data subjects. An official at the company must be assigned responsibility for checking objections received from data subjects and determining their validity.

When the GDPR right to object is exercised, the data subject must supply a specific reason why they are objecting to the processing of their data, apart from objections related to direct marketing. Not all objections will require action, although each must be carefully considered.

All objections must be assessed and dealt with promptly. Companies only one calendar month to assess and process objections from data subjects.

If an objection is received related to the use of personal data for direct marketing, a company must stop using personal data for direct marketing immediately. That includes any profiling related to direct marketing to that individual. If an objection is received, it does not mean an individual’s data must be immediately deleted, only suppressed to prevent them from receiving any future direct marketing.

Not all objections will be valid. For instance, if a company collects data for legal claims, and can prove that to be the case, the objection can be overridden.  If an objection is received from a data subject relating to the use of personal information for research purposes, issues relating to public safety, public health, or uses that are in the public interest, it may not be necessary to comply with the objection. If an objection is determined to be valid, the company must stop processing the personal data of a data subject for the reasons outlined in the objection.

It is important for businesses to maintain records of any objections received and the action taken in response to those objections.

A data subject cannot be charged for resolving the objection, although in cases where objections are unfounded or excessive, a fee could be charged for processing the request or a company could simply refuse to deal with the request.

The post The GDPR Right to Object Explained appeared first on HIPAA Journal.

Do You Have a GDPR Data Retention Policy?

All companies that collect or process the personal information of EU residents must ensure they have a compliant GDPR data retention policy, but what should that entail?

GDPR Data Retention Rules

Article 5 explains that when personal data are collected or processed, it must only be for purposes that are “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed.” Those purposes must be clearly explained at the time of collection.

Under GDPR, organizations are required to adhere to the minimization principle, which applies to the amount of personal data stored and the length of time the information is retained.

When data need to be retained, appropriate security controls should be applied to prevent the unauthorized accessing, use, or processing of data and measures should be implemented to prevent accidental loss, destruction, or damage. Efforts must be made to ensure that all data retained remain accurate and are kept up to date and inaccurate data are removed.

GDPR data retention is covered in Article 5(e), which explains that data should only be retained for as long as is required to achieve the purpose for which data were collected and are being processed. The exceptions to this are when data need to be retained “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”

Recital 39 of GDPR explains that when data are retained, strict time limits should be established by the data controller to ensure data are not retained for longer than is strictly necessary. The data controller is required to conduct periodic reviews and ensure that data are securely erased when no longer required.

GDPR applies to personal data that could be used to identify an individual. If data are required to be kept for longer, the information should be de-identified to prevent individuals from being identified from the data.

There are good reasons for the rules on data retention. The longer data are kept, the greater the chance that data will become out of date and the harder it becomes to ensure data are accurate. In the event of a data breach, the more data that are stored on individuals, the greater the potential for harm.

Developing a Compliant GDPR Data Retention Policy

You should already have developed a GDPR data retention policy, although if you have yet to do so now is the time to conduct a review of your data retention policies and update them accordingly. Now is also the time to ensure that any personal data of EU residents that are currently stored are deleted if the original purpose for which they have been collected has been achieved.

To help with the creation of a GDPR data retention policy use the checklist below:

GDPR Data Retention Policy Checklist

  • Stipulate what data are covered by your policies
  • Set strict time limits on how long data are retained
  • Cover the methods that should be used to delete physical and digital data
  • Ensure it is explained, at the time of collection, how long data will be retained or how the decision will be made to delete data that are no longer required
  • Schedule regular reviews of stored data to determine whether the information is still required
  • Some types of data may need to be retained for longer than others. This should be detailed in your policy
  • It is particularly important to ensure that sensitive data are deleted promptly and are not stored for longer than is strictly necessary – Sensitive data includes sexual orientation, race, beliefs, and health information
  • Ensure your policy covers deletion of personal data if an EU resident exercises their right to be forgotten
  • Stipulate exceptions to general rules on data retention – federal and state laws, litigation holds etc.
  • Make sure that all employees are aware of your GDPR data retention policy.
  • A GDPR data retention policy must be documented. It may need to be provided to regulators in the event of an audit or investigation of a complaint.

GDPR Compliance Deadline

The General Data Protection Regulation becomes effective on May 25, 2018, after which severe financial penalties can be issued to companies and individuals who fail to meet the requirements of GDPR. The penalty for non-compliance with GDPR is up to 20 million Euros or 4% of global annual turnover, whichever is the greater.

If you are not yet compliant with GDPR requirements or have yet to start your compliance program, it is unlikely you will be able to comply with all aspects of GDPR ahead of the deadline. It is therefore essential that you have documentation that proves you have at least made an attempt to comply with the requirements of the GDPR and that your efforts are ongoing.

The post Do You Have a GDPR Data Retention Policy? appeared first on HIPAA Journal.

GDPR Exemptions: Who is Exempt from GDPR Requirements?

The General Data Protection Regulation comes into force on May 25, 2018 and companies that collect or process the personal data of EU residents are required to comply with the GDPR, although there are limited GDPR exemptions and derogations.

Who Must Comply with the Requirements of GDPR

GDPR is concerned with ensuring the privacy and data rights of EU residents are protected. GDPR may be an EU law, but GDPR applies to all companies. It does not matter where a company is located, whether it is based in the EU or in a non-EU country, compliance with GDPR is mandatory.

There are many misconceptions about GDPR exemptions, such as whether GDPR applies to small businesses, individuals, or companies whose websites are accessible in the EU. Apart from limited GDPR exemptions, all companies – regardless of their size – are required to comply with GDPR if they offer free or paid goods or services to EU residents or monitor their behavior.

Who is Exempt from GDPR?

There are limited GDPR exemptions related to the processing of personal data as detailed below:

  • When data are processed during the course of an activity that falls outside of the law of the European Union
  • GDPR does not apply to individuals that process data for personal or household activity
  • GDPR does not apply to government agencies and law enforcement when data are collected and processed for the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties or for preventing threats to public safety
  • GDPR does not apply to the processing of personal data by Member States for activities under the scope of Chapter 2, Title V, of the Treaty on European Union.

GDPR Article 23: Derogations

While one of the aims of the GDPR is to harmonize data protection laws across all EU Member States, it is possible for Member States to introduce derogations and supplemental laws for country-specific purposes, as detailed in Article 23 – Restrictions.

When derogations are introduced it is still necessary for the rights of EU residents to be respected and for their data to be protected. Derogations are acceptable in the following areas:

  • A country’s security, defense, and public security
  • Enabling and securing judicial independence
  • The detection, investigation, and prosecution of crime and the prevention of criminal activity
  • To enable enforcement of civil law claims
  • The protection of subjects critical to national interests such as budgetary, social, and health matters.

GDPR Articles 85-91: Derogations

Articles 85-91 of GDPR also cover situations were derogations may be appropriate for individual Member States. These relate to:

  • Freedom of expression and information
  • Public access to official documents
  • National Identification Numbers
  • Personal data of employees
  • Data for scientific or historical research
  • Archiving in the public interest
  • Obligations of secrecy
  • Churches and other religious associations

In all cases, it is still necessary to ensure data are protected.

The post GDPR Exemptions: Who is Exempt from GDPR Requirements? appeared first on HIPAA Journal.

Does GDPR Apply to EU Citizens Living in the US?

The term ‘European Union citizen’ is often used when explaining General Data Protection Regulation (GDPR) requirements, but what happens when an EU citizen leaves the EU? Does GDPR apply to EU citizens living in the US or in other non-EU countries? Does GDPR apply when EU citizens vacation in non-EU countries?

What happens when Americans visit an EU country? They are clearly not EU citizens but are temporarily located in the EU. How does GDPR apply to US citizens living in an EU country or visiting on vacation or for business.

Does GDPR Apply to EU Citizens Living in the US?

Use of the phrase European Union citizen is not helpful when dealing with GDPR because GDPR is not concerned with citizenship, instead it is concerned with where a person is located. The term EU resident is more useful, or a person located in the EU.

GDPR requires the personal data of an individual residing in an EU country to be subject to certain safeguards and their data rights and freedoms must be protected. When an individual leaves an EU country and travels to a non-EU country, they are no longer protected by GDPR.

If an EU citizen travelled to the United States and interacted with an EU business, which required the collection of their personal data, their data rights and freedoms would be dictated by US federal and state laws. GDPR would not apply.

Does GDPR Apply to US Citizens Living in an EU Country?

GDPR is not concerned with whether or not an individual is an EU citizen. Anyone located in an EU country is protected by GDPR. If an American travelled to Germany, walked into a store, made a purchase and was required to provide their name and address for an invoice, their personal information would need to be protected in line with GDPR requirements and they be given the same rights and freedoms under GDPR as an EU citizen.

Does it Matter Where a Business Is Located?

GDPR applies to individuals and gives them certain rights and freedoms. GDPR places certain restrictions on what businesses can do with the personal data of individuals residing in the EU. It does not matter where the business is located and whether or not a business has a base in an EU country. GDPR rules apply if the business collects or processes the personal data of an individual residing in the EU.

Unfortunately, there is no law that protects the privacy of all individuals in the United States, only specific groups of individuals. The Health Insurance Portability and Accountability Act (HIPAA) requires safeguards to be implemented to protect the privacy of patients and health plan members, but only in relation to protected health information (PHI) and only if PHI is collected, stored, used, or transmitted by a HIPAA-covered entity.

For HIPAA-covered entities, compliance with GDPR will be more straightforward if they apply the same requirements for safeguarding PHI to all individuals and all personal data. Taking a more holistic approach to data protection makes compliance with GDPR easier.

If that approach is taken, then it is likely that EU citizens residing in the US will be given the same protections as those living in an EU country.

The post Does GDPR Apply to EU Citizens Living in the US? appeared first on HIPAA Journal.

The Cost of GDPR Compliance

As the introduction of the General Data Protection Regulation on May 25, 2018, draws nearer, many are realizing the cost of bringing their organizations into compliance with the GDPR. A recent study by a legal tech company, Axiom, noted that Fortune 500 and FTSE 100 companies may need to spend an estimated £800 million to review contracts and verify that they are in compliance with the GDPR. While not everyone will need to spend as much, there will still be money that needs to be found to assess and implement the necessary elements to continue operating without violating the GDPR.

Two of the major areas that are likely to dictate the overall cost to organizations related to the GDPR are their current processes and the nature and scale of the data they manage.

How Will GDPR Compliance Cost Money?

Arguably, the most significant cost related to GDPR compliance will be the cost of auditing and classifying the data that is held. This is an incredibly important step to take, as it will lead to the identification of the data types being stored or processed; it should identify the risks which need to be addressed in any new procedures; and it should facilitate information relating to individual data subjects being grouped together. Consent must also be evaluated for each piece of data.

Following the audit, any data that is erroneous should either be corrected or deleted; action must be taken to put appropriate technical and organizational measures into place to reduce or mitigate the identified risks; and all the information relating to individual data subjects must be grouped or at least made easily retrievable to comply with individuals’ rights to request copies of their data or to exercise their “right to be forgotten” – to have their data deleted. The previous processes for requesting consent to process data must be examined to check whether they were compliant with the new rules; if not, consent to continue holding or processing data must be sought again.

There will no doubt be a considerable number of hours spent completing the audit, writing the procedures, training staff, and verifying information, even for companies that only hold smaller amounts of data.

In addition to this, groups employing over 250 members of staff will be required to hire or train a Data Protection Officer, if such a position does not already exist in the organization. It should not be forgotten that employees are also protected by the GDPR, so any employee data and contracts should be reviewed by HR.

How Will GDPR Non-Compliance Cost Money?

While introducing all the necessary elements to comply with the GDPR will undoubtedly be expensive in terms of time and money, non-compliance will certainly cost more. Fines have been approved as part of enforcing the GDPR and the maximum financial penalty is a fine of €20 million or 4% of global annual turnover, whichever is higher.

Crippling financial sanctions could later be compounded by image and reputational damage, with consumers possibly avoiding an organization that does not take the necessary steps to protect their information. Whether the fault is discovered following a fine levied by the supervisory authority or following a data breach, people are likely to take note.

Compliance with the GDPR must now be seen as a cost of doing business. It is a necessary legal hurdle and will also reduce some costs by introducing a harmonious approach to processing data belonging to individuals within the EU. Organizations that fail to take the necessary steps to ensure compliance, or that only implement superficial changes, run the risk of severe monetary and reputational costs.

The post The Cost of GDPR Compliance appeared first on HIPAA Journal.