The GDPR is a regulation that covers transactions that occur within EU member states, and requires businesses to protect the personal data and privacy of these EU citizens.
Non-compliance isn't an option as it could cost companies dearly, so make sure you know the ins and outs and how they will affect you and your business.
Companies that collect data on citizens in European Union (EU) countries have until May 25th 2018 to comply with strict new rules around protecting customer data. The GDPR will likely see a new standard set for consumer data and their rights- The challenge will be companies putting these systems and processes in place to make sure they comply.
The aim of all of this is not merely to tick a box and comply for the sake of avoiding a (hefty) fine. You can view this as a way of improving your business. Not only could compliance be seen as a competitive advantage, but it will also boost consumers confidence in your brand and service. In addition to this, and perhaps most importantly, the changes that will be made in order to comply with the GDPR will result in technical improvements, process efficiency and the effectiveness of how your organisation manages and secures data. All positive things!
Below are the basic bits of information you should know as well as some pointers as to where to start.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
The specific criteria for companies required to comply is:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority.
What should my company be doing to prepare for the GDPR?
- Get top management to set a sense of urgency. You must be prepared.
- Get all stakeholders involved. Get a task force in place that includes marketing, finance, sales, operations —any function within the organization that collects analyses or otherwise makes use of customers’ personal identity information. Information will be shared better and will be most useful to those implementing the technical and procedural changes that the GDPR requires. Each individual team will also be better prepared to deal with any impact on them.
- Conduct a risk assessment: One of the biggest obstacles but the first course of action – you need to know what data you store and process on EU citizens and understand the risks surrounding this. This risk assessment must also outline the measures being taken to mitigate that risk. A key element of this assessment will be to uncover all shadow IT that might be collecting and storing PII. The greatest risk for non-compliance is from shadow IT and smaller point solutions – Don’t ignore them!
- Hire or appoint a Data Protection Officer: This could be someone that already holds a similar role to this position as long as there is no conflict of interest in terms of ensuring personal identify information protection. If there is no one then you will need to hire a DPO. This could be a ‘virtual’ consultative role rather than a full time position.
- Create a data protection plan: This is something that most companies already have in place. You will need to review and update it with the GDPR in mind to ensure that it complies with requirements.
- Don’t forget about mobile: According to a survey 64% of IT and security executives access customer partner and employee PII using mobile devices. 81 percent of the survey respondents said that employees were allowed to install personal apps on these mobile devices. In terms of GDPR compliance this creates a unique set of risks – If any of those apps access and store PII they must do so in a GDPR-compliant manner which is very difficult to control especially when you consider that employees will use unauthorized apps too.
- Create a plan to report your GDPR compliance progress: As the May deadline gets closer organisations must be able to demonstrate how they are making progress with the new regulations by completing the Record of Processing Activities (RoPA). This centres around taking an inventory of risky applications. This will help you avoid being an easy target for regulators. Through doing this RoPA you are identifying where personal data is being processed who is processing it and how it is being processed.
- Implement measures to mitigate risk: So you’ve identified the risks and how to mitigate them next you need to put those measures into place. Following the RoPA your GDPR team can identify and investigate any potential data risks and determine the level of security required to protect that data.
- Ask for help. If you have a small organisation then don’t be afraid to ask for help if needed. Smaller companies can and will still be affected by GDPR some more than others. If you don’t have the resources needed to meet requirements then there are outside resources available to provide advice and technical expertise to help you through this process.
- Test incident response plans: Companies have 72 hours to report a data breach. Your response teams need to know how to respond and report a breach – Their ability to do this effectively will influence your company’s risk of fines. Do a test and practice this process.
- Set up a process for ongoing assessment: To ensure that you stay compliant you will need to consistently monitor the processes you have in place and continuously improve them. You may wish to incentivise employees for following new policies and hand out penalties for those that don’t. GDPR policy observances could even be added to employee contracts.
With only a few months left to make sure your company is complying with the new regulations we thought it useful to provide this key information and advice for meeting the requirements. This blog is just a brief overview but if you head over to our sister company Geekabit you can read Part 1 and Part 2 on this topic (https://geekabit.co.uk/2018/02/25/part-1-general-data-protection-regulation-gdpr-the-requirements-deadlines-and-facts/) which gives a much more detailed account of the requirements and how to get your company to comply.