5 steps U.S. companies should take to prepare for GDPR enforcement

Getting a grip on data ahead of time can help avoid headaches later

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The dead­line for orga­ni­za­tions to be com­pli­ant with the Euro­pean Union’s Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) is less than a year away. On May 25, 2018, all orga­ni­za­tions that hold or trans­port EU cit­i­zen data must have process­es and poli­cies to meet the reg­u­la­tion requirements.

GDPR isn’t a sug­ges­tion that com­pa­nies insti­tute best prac­tices for cus­tomer data pri­va­cy; it is a direc­tive that could result in fines of €20 mil­lion or up to 4 per­cent of annu­al glob­al turnover. Not only will all com­pa­nies in the EU be required to meet the new reg­u­la­tions, but GDPR also is in effect for all orga­ni­za­tions that hold or process the data of cus­tomers who live in the EU.

Relat­ed video: How respect­ing con­sumer pri­va­cy can be a prof­itable differentiator

That includes busi­ness­es based in the Unit­ed States. How­ev­er, there are still a num­ber of orga­ni­za­tions that are either unfa­mil­iar with GDPR or don’t see the dead­line as crit­i­cal. Small- and medi­um-size busi­ness­es are not immune to GDPR reg­u­la­tions, yet, they may have the most to lose for not being compliant.

Michelle Dennedy, Cis­co vice pres­i­dent and chief pri­va­cy officer

The sit­u­a­tion is not total­ly dire for those who haven’t begun plan­ning. Michelle Dennedy, vice pres­i­dent and chief pri­va­cy offi­cer at Cis­co, offered five steps U.S. com­pa­nies should take to be pre­pared for when GDPR goes into effect.

1. Take stock of your data

Your data will tell you a lot about your com­pa­ny, includ­ing where you came from, where you are today, and where you are head­ed. By tak­ing stock of your data, you also will have a bet­ter idea about how it is shared with oth­er busi­ness­es and with customers.

How does your data help you solve prob­lems? How does it tell your cus­tomers who you are? What would you present to your finan­cial back­ers?” Dennedy said. If you want to secure data and address pri­va­cy, you have to know what infor­ma­tion is out there and how it is get­ting used.

2. Make a plan

The best thing you can do for your­self is have a doc­u­ment­ed plan that out­lines your busi­ness based on the data you’ve tak­en stock of and then cre­ate a plat­form on how you’ll use this data mov­ing for­ward. The plan will help you out­line how your com­pa­ny is sit­u­at­ed and whose data you are work­ing with, and then you can begin to deter­mine what and who is at risk. This is the start of your pri­va­cy and secu­ri­ty process­es, and by the time you get to step four, it should be a part of the reg­u­lar busi­ness plan.

3. Start exe­cut­ing your plan

One of the fea­tures of GDPR is the Pri­va­cy Impact Assess­ment (PIA). Depend­ing on the size and type of the orga­ni­za­tion, the PIA can be quite sim­ple or can require hun­dreds of pages of doc­u­ments. No mat­ter how com­pli­cat­ed, the PIA is a step-by-step process to deter­mine all of the per­ti­nent infor­ma­tion sur­round­ing data: who owns it, what amount is PII, can the data iden­ti­fy a par­tic­u­lar enti­ty or per­son. The PIA also requires a descrip­tion of how the orga­ni­za­tion expects to process data and why.

You need to fig­ure out where the per­ti­nent data live with­in the meta­da­ta, doc­u­ment that, and then come up with a plan of attack,” Dennedy said.

4. Pro­tect­ing data in motion

You know what and where your data is. You have a plan man­ag­ing it, and you’ve writ­ten that plan down in your PIA. Now you have to under­stand how you’ll pro­tect the data as it moves through jurisdictions.

If you have infor­ma­tion about peo­ple in the EU, that infor­ma­tion is cov­ered by GDPR,” Dennedy said. Pro­tect­ing the data includes deter­min­ing whether the data is being col­lect­ed and processed legal­ly and deter­min­ing whether and where the data can be transferred.

5. Secure the data

Now that you have a good under­stand­ing of the con­text and loca­tion of your data, you have a clear­er com­pre­hen­sion of the secu­ri­ty sys­tem you’ll need to pro­tect this information.

Will every­one be ready to meet the May dead­line next year? Prob­a­bly not, Dennedy said, but we should expect some orga­ni­za­tions to fail because they aren’t pre­pared. The GDPR is a secu­ri­ty game changer.

We’re a dig­i­tal world,” Dennedy said. “If you want to be rel­e­vant, you have to get a grip on your data.”

More sto­ries relat­ed to GDPR compliance:
Ready for new EU data pro­tec­tion rules? Four steps to mas­ter compliance
Loom­ing GDPR man­date requires sea change in cor­po­rate cyber­se­cu­ri­ty tactics
Pri­va­cy Shield aims to bridge EU-U.S. dig­i­tal pri­va­cy gap, but ques­tion marks remain


Posted in Featured Story, Guest Essays