GDPR is less than a year away. Are you prepared?
On May 25th, 2018, the GDPR (EU’s General Data Protection Regulation) will become enforceable. Are you ready? Are you crystal clear on what GDPR is?
Most importantly … do you know what’s at stake for your business?
In the coming months, I’ll be updating you on what we can all do to prepare for this new set of regulations.
But first, let’s cover the basic facts of GDPR:
What: These are a series of new regulations that will replace the existing Data Protection Act (DPA) in Europe. This new regulation will have a worldwide reach aimed to provide greater levels of protection and control to any European citizen, as it applies to the flow of their personal data outside the EU.
Personal data has now been extended to include categories such as IP addresses, geographic locations, names, home or work addresses, gender and even other sensitive information like health status, political affiliations, religion, ethnicity, etc. The GDPR is one of the biggest, most far-reaching regulations since the Sarbanes-Oxley Act Of 2002 and is aimed to create a uniformity of rules to enforce across the continent.
Why: “The primary objectives of the GDPR are to give citizens and residents back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.” That’s the official Wikipedia description. Essentially, Parliament voted to give authorities more powers to take action against companies who don’t do enough to protect European citizens’ identities. Current regulations are not tailored for the digital economy, which is a significant problem for both businesses and consumer.
Who: Obviously, European companies need to heed these regulations and prepare right away. The regulation also applies to any personal data of EU citizens which is stored outside of the EU. Yes, even if you are a U.S. based company who has even one customer in Europe (yes, online customers count) — you must comply. If you don’t have any European customers but you have even one employee who is European – you must comply.
Worry! What’s at stake for those who don’t comply? Quite a bit. Companies can be fined up to 4% of the company’s worldwide revenue or €20 million, whichever is more. Many companies already have budgeted 3% of the worldwide revenue…for their entire IT department. That’s a devastating fine. The GDPR is serious and needs to be taken extremely seriously.
There seems to be a lot of worry and misinformation regarding the GDPR, something that needs attention at the board level or companies will fail.
So what steps can you take to make sure your company is in compliance…
- Create awareness! Educate leadership and staff on GDPR and its importance and ramifications.
- Document any personal data you hold, including where it is, where it came from and with whom you share it.
- Review current privacy notices and plan to make any necessary changes in time for GDPR implementation.
- Make sure that decision makers and key personnel are aware of the changes and implications of GDPR.
- Update procedures and plan how you will handle requests in future.
- Identify your legal basis for processing personal data.
- Consider consent. Determine how you will seek, obtain, and record consent.
- Anticipate data breaches. Make sure you have the right procedures in place to detect, report, and investigate a personal data breach.
- Appoint a Data Protection Design and Impact Assessment. Think now about how and when to implement.
- Designate a Data Protection Officer. This person will take responsibility for data protection compliance and assess where this role will sit within the org structure.
Finally, do not forget how crucial a role identity management plays into your planning. “A strong, robust, reliable and trustworthy IAM strategy and capability is a core building block required to achieve compliance with the [General Data Protection Regulation] GDPR,” said Matthias Reinwarth, senior analyst at KuppingerCole in a recent ComputerWeekly article.
I’ll be bringing you more about GDPR preparedness in the coming months. Stay tuned!