ECIIA: Starting gun fired for EU data regulation compliance

25 May 2016

The ECIIA has published a special report on how internal auditors can prepare for the Directive on General Data Protection and the General Data Protection Regulation in European Governance

The EU has published the final draft of its long-awaited Directive on General Data Protection and the General Data Protection Regulation (GPDR) that enforces it –  giving internal auditors two years to help organisations prepare.

“The publication of these documents is the starting gun for companies to get ready for sweeping changes to the way they handle data,” Henrik Stein, ECIIA President says. “Internal auditors need to ensure that their organisations are ahead in that race.”

Companies need plenty of time to prepare because GDPR brings fundamental reform to data protection. That includes ensuring companies obtain explicit and informed consent from customers as to how their information could and would be used. Any person has a “right to be forgotten,” where he or she could request that the data controller must take all reasonable steps for their data to be erased. And businesses need to appoint a designated data officer.

Getting it wrong attracts potentially high fines – from between 2% and 5% of a company’s turnover.

“Data protection is a growing area of public concern and getting it wrong represents a risk of damage to a company’s reputation, in addition to attracting punishing fines,” Stein said. “The time for action is now.”

While the regulation came into force on 24 May 2016, it applies from 25 May 2018. The directive entered into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.

Blog

Full report


© ECIIA