5 steps U.S. companies should take to prepare for GDPR enforcement
Getting a grip on data ahead of time can help avoid headaches later
By Sue Poremba, ThirdCertainty
The deadline for organizations to be compliant with the European Union’s General Data Protection Regulation (GDPR) is less than a year away. On May 25, 2018, all organizations that hold or transport EU citizen data must have processes and policies to meet the regulation requirements.
GDPR isn’t a suggestion that companies institute best practices for customer data privacy; it is a directive that could result in fines of €20 million or up to 4 percent of annual global turnover. Not only will all companies in the EU be required to meet the new regulations, but GDPR also is in effect for all organizations that hold or process the data of customers who live in the EU.
That includes businesses based in the United States. However, there are still a number of organizations that are either unfamiliar with GDPR or don’t see the deadline as critical. Small- and medium-size businesses are not immune to GDPR regulations, yet, they may have the most to lose for not being compliant.
The situation is not totally dire for those who haven’t begun planning. Michelle Dennedy, vice president and chief privacy officer at Cisco, offered five steps U.S. companies should take to be prepared for when GDPR goes into effect.
1. Take stock of your data
Your data will tell you a lot about your company, including where you came from, where you are today, and where you are headed. By taking stock of your data, you also will have a better idea about how it is shared with other businesses and with customers.
“How does your data help you solve problems? How does it tell your customers who you are? What would you present to your financial backers?” Dennedy said. If you want to secure data and address privacy, you have to know what information is out there and how it is getting used.
2. Make a plan
The best thing you can do for yourself is have a documented plan that outlines your business based on the data you’ve taken stock of and then create a platform on how you’ll use this data moving forward. The plan will help you outline how your company is situated and whose data you are working with, and then you can begin to determine what and who is at risk. This is the start of your privacy and security processes, and by the time you get to step four, it should be a part of the regular business plan.
3. Start executing your plan
One of the features of GDPR is the Privacy Impact Assessment (PIA). Depending on the size and type of the organization, the PIA can be quite simple or can require hundreds of pages of documents. No matter how complicated, the PIA is a step-by-step process to determine all of the pertinent information surrounding data: who owns it, what amount is PII, can the data identify a particular entity or person. The PIA also requires a description of how the organization expects to process data and why.
“You need to figure out where the pertinent data live within the metadata, document that, and then come up with a plan of attack,” Dennedy said.
4. Protecting data in motion
You know what and where your data is. You have a plan managing it, and you’ve written that plan down in your PIA. Now you have to understand how you’ll protect the data as it moves through jurisdictions.
“If you have information about people in the EU, that information is covered by GDPR,” Dennedy said. Protecting the data includes determining whether the data is being collected and processed legally and determining whether and where the data can be transferred.
5. Secure the data
Now that you have a good understanding of the context and location of your data, you have a clearer comprehension of the security system you’ll need to protect this information.
Will everyone be ready to meet the May deadline next year? Probably not, Dennedy said, but we should expect some organizations to fail because they aren’t prepared. The GDPR is a security game changer.
“We’re a digital world,” Dennedy said. “If you want to be relevant, you have to get a grip on your data.”
More stories related to GDPR compliance:
Ready for new EU data protection rules? Four steps to master compliance
Looming GDPR mandate requires sea change in corporate cybersecurity tactics
Privacy Shield aims to bridge EU-U.S. digital privacy gap, but question marks remain