Many global businesses still aren’t aware that they may need to muster language resources to meet the requirements of the General Data Protection Regulation (GDPR) that are coming into effect very shortly. For global businesses, preparing for GDPR will involve training every part of their business to understand the new requirements and having a communications plan in place to respond to a data breach.
GDPR is a piece of EU regulation that is intended to strengthen data protection and privacy for everyone in the European Union. It’s really some of the toughest privacy regulation in the world and affects businesses that use and store data concerning individuals within the EU and the EEA.
This wide-reaching data privacy legislation affects how businesses handle the data of EU citizens. It sets out certain administrative requirements for how data is handled and data holders must fulfil requirements to communicate with data subjects about the data they hold on them.
If you’re a global operation, the requirements set out by GDPR are likely to require you to respond with certain language capabilities – and that may not be something your organisation is fully prepared for.
Perhaps the most important thing that all organisations need to know about GDPR is that it definitely affects them. With only a few months remaining before GDPR becomes enforceable legislation, many global organisations still haven’t faced up to the fact that it will affect their operations.
GDPR doesn’t just affect businesses located in the Eurozone; it pretty much affects any business that handles the data of EU citizens.
GDPR affects most businesses
If your company has any customers within the EU, then GDPR rules apply to how you store, process or share EU citizens’ personal data. You need to be aware that high fines apply for transgressors: up to 4% of your annual turnover. This is also likely to be true for post-Brexit UK, which will almost certainly need to abide by EU regulations too.
You’ll find that you have many administrative requirements for handling the data of EU citizens under GDPR. For example, you need to respond to subject access requests within 40 days. That means if a person asks to see all the data that you hold about them, you will need to get back to them with copies of all their personal data and any information about the sources of the data with 40 calendar (not working) days.
People also have the right to data portability so you need to fulfil customer requirements to be able to move, copy or transfer their data easily from one database, storage or IT environment to another.
These requirements are going to be challenging for many organisations to meet and the deadline is fast approaching. From May this year, GDPR will be enforceable.
This means from this date your organisation needs to face the consequences of failing to meet GDPR requirements. Multi-national organisations that are switched on to the urgency of GDPR are already racing to get all of their operational areas up to speed with the new requirements.
For some offices, this may mean a colossal change in how they gather, store and process customer data.
The communication challenge
Not many people are talking about the communication implications for GDPR. The requirements GDPR introduces state that data holders must communicate with data subjects in the event of a data breach.
If customer data is stolen, organisations need to identify the breach, inform customers and keep lines of communication with them open. For multi-national organisations, that could be a significant challenge.
Whilst as a responsible organisation you’ll no doubt be doing everything you can to prevent a breach happening in the first place, it’s important to have a company-wide plan in the event one does occur.
For starters, all staff need to be able to identify a breach if one occurs and understand what the implications are and how they need to respond. Roles and responsibilities need to be set well in advance, for every region, your business operates in. It’s really important that data security isn’t just seen as something the IT team handle on their own.
Once a data breach is identified, organisations must notify the affected data subjects “without undue delay”, ie as quickly as possible.
This means your team need to tell affected customers what has happened, any likely consequences for them and what they need to do to protect themselves – such as change all their passwords. The rules state this needs to be done in a dedicated, stand-alone message that must be clear and concise.
Organisations that don’t have permanent language teams on standby may need to have plans in place to respond to any data breach that might occur with the appropriate language communications.
But drafting a letter to your customers is only a part of what you’ll need to do to respond to a breach. In the event of a significant breach, it’s likely that your business may need to factor in a dedicated response team that can handle customer queries in whatever language is necessary.
For multi-national organisations, a data breach will almost certainly require them to communicate in several languages and it may be difficult to marshal the necessary teams of language speakers to handle responses.
If you’re bringing in outside resources to handle the communications, this team will need to be marshalled very quickly and you’ll need to train personnel in a short space of time. You may also need PR resources in place to help you manage the public response to the event.
Back in September, 37% of businesses surveyed by WatchGuard Technologies weren’t certain if GDPR applied to them.
With huge fines at stake, it’s important that all global organisations face up to the fact they are almost certainly affected by GDPR and need to make changes to reflect this. If you’re operating globally, this includes getting the language resources you need to respond effectively to a data breach.