Ready for new EU data protection rules? Four steps to master compliance

Companies of all sizes, locations should start now to put policies in place to avoid fines

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

With few­er than 500 days until May 2018 rolls around, the count­down to when the EU’s Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) goes into effect is on.

As a regime designed to help pro­tect per­son­al data belong­ing to cit­i­zens of the EU, GDPR doesn’t just impact firms locat­ed in Europe. It’s cre­at­ed to ensure people’s per­son­al infor­ma­tion is pro­tect­ed regard­less of where it’s sent, processed or housed. Thanks to inter­net, this umbrel­la spans well beyond the EU’s phys­i­cal bound­aries.

Although orga­ni­za­tions every­where will be effect­ed by the heavy­weight reg­u­la­tion, there isn’t one fool­proof approach to com­pli­ance. There are sev­er­al steps com­pa­nies should fol­low if they want to avoid emp­ty­ing their wal­lets to fines of €20 mil­lion ($21.3 mil­lion) or 4 per­cent of annu­al rev­enue that could cost up to bil­lions of dol­lars.

Relat­ed sto­ry: Brex­it vote will com­pli­cate, but won’t change, data pro­tec­tion laws

So, if you have any con­nec­tion to Euro­pean ven­dors or cus­tomers, and are han­dling their data, you have about a year to pre­pare. Whether you’re work­ing remote­ly from your favorite Dunkin’ Donuts in New Eng­land or build­ing a team in the heart of Syd­ney, Aus­tralia, GDPR com­pli­ance should be your new best friend.

Talk data to me: GDPR com­pli­ance check­list

 Because com­pa­nies like Microsoft and Face­book are announc­ing that they are com­pli­ant, it may seem like the GDPR is only applic­a­ble to large, glob­al com­pa­nies. How­ev­er, small to mid­size busi­ness­es (SMBs) that are con­duct­ing any type of Euro­pean busi­ness, sales, mar­ket­ing, HR or any oth­er com­mu­ni­ca­tion or rela­tion­ships also fall under its man­date. When it comes to GDPR, firms of all sizes need to under­stand their roles and respon­si­bil­i­ties in com­ply­ing with the reg­u­la­tions.

Due to the GDPR’s lengthy pro­vi­sions, there’s no “one-step solu­tion” to achieve com­pli­ance. Because SMBs and larg­er enter­pris­es are held to the same stan­dard, below are four rec­om­men­da­tions orga­ni­za­tions every­where should follow—regardless of both size and loca­tion:

1. Devel­op a data secu­ri­ty strat­e­gy

Com­pa­nies should be think­ing crit­i­cal­ly and strate­gi­cal­ly when deal­ing with GDPR com­pli­ance since it’s vital to pin­point where respon­si­bil­i­ty for data secu­ri­ty lies ear­ly on. From there, orga­ni­za­tions should devel­op a cor­re­spond­ing response strat­e­gy.

To help plan a pri­va­cy strat­e­gy, busi­ness­es can run a com­plete inven­to­ry to show the flow of data through­out its sys­tems. Under GDPR, com­pa­nies will be held respon­si­ble for the loss or mis­han­dling of EU cit­i­zens’ data if there is a breach—even if they’re out­sourc­ing the storage/handling of the data through a third par­ty. Hav­ing poli­cies in place in the event of data pri­va­cy issues will encour­age account­abil­i­ty and main­tain over­all busi­ness agili­ty.

Orga­ni­za­tions should be pre­pared to employ com­pa­ny­wide con­trols, poli­cies and pro­ce­dures for com­pli­ance through the help of the legal, IT and secu­ri­ty teams. Chief infor­ma­tion secu­ri­ty offi­cers (CISOs), in addi­tion to the ris­ing data pri­va­cy offi­cers, can work togeth­er to help man­age, direct and guide these teams through­out the entire process.

2. Hire a data pri­va­cy offi­cer

One of the require­ments of the reg­u­la­tion is to poten­tial­ly hire a data pri­va­cy offi­cer or data pro­tec­tion offi­cer to help edu­cate your busi­ness on GDPR, in addi­tion to loom­ing data pri­va­cy pro­to­cols. Orga­ni­za­tions with more than 250 employ­ees may be required to hire a data pri­va­cy offi­cer. But even if GDPR doesn’t make a data pri­va­cy offi­cer manda­to­ry, des­ig­nat­ing an expert who can help imple­ment a strong and suc­cess­ful data secu­ri­ty strat­e­gy is a good idea. This per­son should be in charge of keep­ing mem­bers of the C-suite informed and up to speed on how per­son­al­ly iden­ti­fi­able infor­ma­tion is being pro­tect­ed, and any changes in data pri­va­cy laws in each region where they do busi­ness.

Com­pa­nies that don’t take hir­ing a data pri­va­cy offi­cer seri­ous­ly stand to lose a lot of mon­ey, on top of their rep­u­ta­tion, if they’re fined for fail­ure to com­ply.

3. Vet ven­dors

It’s equal­ly impor­tant to ensure cloud providers also can com­ply with the new reg­u­la­tion. Busi­ness­es should be ask­ing their ven­dors such ques­tions as, how much per­son­al data will go through this ven­dor? Where is it going to flow? How is it going to be stored? How is data delet­ed from the sys­tem? From a holis­tic per­spec­tive, are there any pri­va­cy strate­gies in place? Are they fol­low­ing or imple­ment­ing prop­er poli­cies and gov­er­nance struc­tures? Are their employ­ees being trained on data pri­va­cy? All these ques­tions, and oth­ers, need to be answered.

For SMBs, this step is even more impor­tant, as near­ly 75 per­cent are over­whelmed by cloud adop­tion to begin with and need help in this tran­si­tion peri­od. Rec­og­niz­ing the right ques­tions to ask cloud providers ahead of GDPR can help close the gap.

4. Keep tabs on data in motion

Busi­ness­es often­times focus on secur­ing inter­nal data­bas­es and servers with­out con­sid­er­ing how their data moves from place to place. Since infor­ma­tion is being shared with­in and out­side the orga­ni­za­tion via the cloud, com­pa­nies need to be able to track how that data moves and who has access to what infor­ma­tion.

For exam­ple, if data is processed and stored with­in Euro­pean Eco­nom­ic Area (EEA), that data may not leave Ice­land, Nor­way, Liecht­en­stein and all oth­er EU coun­tries. That’s when cer­tain mech­a­nisms like EU Mod­el clauses—an agree­ment between ser­vice providers and cus­tomers to ensure any per­son­al data leav­ing the EEA will be trans­ferred in compliance—come into play.

The best defense is a good offense

 GDPR requires that any com­pa­ny doing busi­ness in the EU, no mat­ter how small or large, needs to secure­ly col­lect, store and use per­son­al infor­ma­tion. Just like the big guys, small­er com­pa­nies also must pay for vio­la­tions that may occur, even if non­com­pli­ance is acci­den­tal.

Although a year may seem far away, there’s no bet­ter time than now to start putting poli­cies into place to ensure com­pli­ance. Microsoft’s recent com­mit­ment to GDPR com­pli­ance demon­strates the need to be proac­tive before it might be too late. Com­pa­nies would be smart to fol­low in the soft­ware giant’s foot­steps and act now to avoid hefty fines down the road.

More sto­ries relat­ed to new data pro­tec­tion rules:
With no glob­al stan­dard for data pri­va­cy, laws out­side U.S. dif­fer in scope
SMBs need to bulk up secu­ri­ty to pro­tect against third-par­ty risk
Pri­va­cy Shield aims to bridge EU-U.S. dig­i­tal pri­va­cy gap, but ques­tion marks remain