Get prepared for the GDPR.
If you do business anywhere in the world, there is a good chance your organization processes data about individuals in the context of selling goods or services to citizens in a European Union (EU) country. And if so, then you will need to comply with the General Data Protection Regulation (GDPR). What is the GDPR? It’s a regulation intended to strengthen and unify data protection for individuals within the EU. It was approved and adopted by the EU Parliament in April 2016 and will be in force May 2018.
Ensuring compliance with GDPR, which is intended to strengthen and unify data protection for individuals within the European Union, will involve more than just flipping a switch. And whether your business is located in the EU or not, if it processes data about individuals in the context of selling goods or services to citizens of a EU country, your business will need to comply.
The data it refers to includes any information related to a person that can be used to directly or indirectly identify said person. It can be anything from:
- a name,
- a photo,
- an email address,
- bank details,
- posts on social networking websites,
- medical information,
- computer IP address.
Here are three strategies for jumpstarting the process:
- Process Your Processes: Take time to reflect on your current processes and how they must be modified to comply with GDPR standards. Complete an internal audit to assess the processes, systems, internal people and third parties that are in place or need to be put in place to ensure data security compliance. Determine how they work together to establish formal workflows. Generate a process for handling issues and related actions, including breach notifications. Prepare detailed action plans to address any identified gaps in data security.
- Prioritize People: Appoint a data protection officer who can establish ownership around data security and the training of personnel. Further, when you’re assessing your current and future-state workflows, pay special attention to who needs to be involved with what data or which processes and when. Understanding the roles individuals play and when they enter into the picture is important for establishing a fluid cadence of communications and workflows around data security.
- Choose Tools Wisely. Unfortunately, people aren’t enough. If the massive undertaking of being GDPR-compliant by May 2018 requires you to divert resources from other areas of your business, you could be putting your business at risk in other ways. Assess whether you have technology in place, or if you need to invest in technology, to help you to be compliant and efficient at the same time.
The right technology should be able to help you deploy all three of these strategies with ease and efficiency. Such technology should be easy-to use, flexible and most importantly, integrated, to meet the data security compliance demands of the enterprise.
If you currently use risk management technology, or are considering investing in such a system, it might already have the capabilities you need, including:
- Regulatory interaction: Can interactions with regulatory and internal stakeholders be managed within the solution for a complete view of data security needs in one place.
- Management of Contracts and Corporate Policies: Can the solution serve as a central repository for all contracts and policies?
- Ongoing data sharing request management: Can you automate data-sharing request processes efficiently with pass throughs based on existing data-sharing contracts?
- Data request management and governance: Can you manage requests for information?
- Vendor risk management: Can you manage third parties and their ongoing data security access requirements and assessments?
- Reports and dashboards: Can the solution provide comprehensive analytics and an audit trail of the data security activities within the organization for ongoing monitoring/assessment and regulatory needs as required?
Be careful not to invest time, energy and spend in a one-off compliance solution. Instead, consider enterprise-wide risk management technology that can fold in GDPR with all your other risks, too.
To learn more about GDPR and strategies to keep your business compliant, read our white paper.
There is a tiered approach to fines and organizations can be fined up to 4% (20 million EUR) of annual global turnover for breaching GDPR. This is the maximum fine that can be imposed for the most serious infringement, such as not having sufficient customer consent to process data or violating the core concepts. Less serious infringements have a max fine of 10 million EUR. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement. There is a provision for class action and individual prosecution depending on the breach.
In addition to fines and penalties, there is also the cost of compliance to consider. As an example, if every EU visitor to an American theme park in the last few years requested deletion of any of their data, the company that owns the park may be forced to spend a fortune to identify all the patrons and photos taken of them on systems throughout the park and delete them.
As a general trend the regulatory environment is getting more complex and prescriptive. There is a recognition that data is an asset and hence the focus on data will continue to rise. With just under six quarters from now till the regulation comes into force, time is critical and companies should start planning for GDPR now. Learn more about preparing for GDPR in our white paper.