GDPR, the European Union’s new data Privacy legislation is set to come into effect May 25 of this year. General Data Protection Regulation (GDPR) is a sweeping data protection law that not only affects European businesses, but all organizations handling the personal data of EU citizens. Moving forward, if a data breach is the result of noncompliance, companies will face unprecedented fines of up to €20 million (about $24.5 million) or 4% of global annual revenue for the previous financial year, whichever is higher. If your company has any customers located in Europe, then you need to comply with GDPR. The question is, are you ready?
According to the GDPR Website: “Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to ‘the public interest in the availability of the data’ when considering such requests.”
According to an article in ZDNet, “two thirds of organizations aren't prepared for the General Data Protection Regulation’s (GDPR)’s 'right to be forgotten'.” Part of the issue is with how businesses are interpreting this right to be forgotten. This could lead to major problems, and big fines, if someone requests to be forgotten, and the request isn’t carried out. Companies will also be required to know where this information is stored and have a process in place to carry out these requests. In addition, regulations around consent and the data protection for children are other areas that will present challenges for businesses leading up to that May 25th date.
The UK Information Commissioner’s Office (ICO) released a 12-step guide to help organizations prepare for GDPR. In addition to the 12 steps, here are some key areas to consider when preparing for GDPR:
Hire a Data Protection Officer (DPO)
The DPO’s tasks are to:
- Inform and advise the organization and its employees of their data protection obligations under the GDPR
- Monitor the organization’s compliance with the GDPR and internal data protection policies and procedures
- Advise on the necessity of data protection impact assessments (DPIAs), their implementation and outcomes
- Serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting
- Serve as the contact point for individuals (data subjects) on privacy matters, including subject access requests.
Not all companies are required to hire a DPO, however the following organizations are required:
- Organization that is a public authority or body
- Organizations whose core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale
- Organizations whose core activities consist of large-scale processing of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation, etc.) and personal data relating to criminal convictions and offences.
Even if your business is not required to have a DPO, you may find that it will be much easier having someone dedicated to data compliance.
Complete a thorough audit of your current data security system
The best way to ensure compliance is to accurately assess your current data processes and determine where personally identifiable information resides and how it is being handled. Any type of personal data is a liability risk, including data transferred to and from partners, contractors and third-party cloud providers. Once the audit is completed and GDPR gaps have been identified, incorporating plans for remediation must be a company-wide collaborative effort. A plan that identifies high-risk areas and fixes potential problem areas before enforcement begins, is key.
Educate your staff
Anyone who handles information needs to be educated about GDPR. This includes: sales associates, those that maintain CRM systems, and even data entry personnel. All employees have a responsibility when it comes to GDPR compliance. Employee training should be an ongoing occurrence. “Given the size of potential fines and the potential for costly litigation by consumers, the consequences of even one employee not knowing what the GDPR means for your business could be devastating.” (Independent)
Engage an MSP or MSSP with a comprehensive understanding of GDPR
If any of the above sounds overwhelming, consider hiring a Managed Services Provider (MSP). Many organizations consider involving their Managed Services Provider (MSP) to help them determine how to set up their own internal policies and procedures, as well as, ensure these are followed on an on-going basis. Engaging with an MSP to help ensure compliance will be critical. From setting up workflows, to on-going 24/7 monitoring, an MSP can help your business prepare for GDPR. An MSSP (Managed Security Service Provider) is an even better alternative, as security policies around breach readiness will also become a factor. An MSSP could provide protection that strengthens an organization’s cyber security capabilities by providing personal data clarification and protection, better incident response and a faster detection of breaches.
Need help with GDPR? Contact Uzado today!