Ready for new EU data protection rules? Four steps to master compliance
Companies of all sizes, locations should start now to put policies in place to avoid fines
By Daren Glenister, Special to ThirdCertainty
With fewer than 500 days until May 2018 rolls around, the countdown to when the EU’s General Data Protection Regulation (GDPR) goes into effect is on.
As a regime designed to help protect personal data belonging to citizens of the EU, GDPR doesn’t just impact firms located in Europe. It’s created to ensure people’s personal information is protected regardless of where it’s sent, processed or housed. Thanks to internet, this umbrella spans well beyond the EU’s physical boundaries.
Although organizations everywhere will be effected by the heavyweight regulation, there isn’t one foolproof approach to compliance. There are several steps companies should follow if they want to avoid emptying their wallets to fines of €20 million ($21.3 million) or 4 percent of annual revenue that could cost up to billions of dollars.
So, if you have any connection to European vendors or customers, and are handling their data, you have about a year to prepare. Whether you’re working remotely from your favorite Dunkin’ Donuts in New England or building a team in the heart of Sydney, Australia, GDPR compliance should be your new best friend.
Talk data to me: GDPR compliance checklist
Because companies like Microsoft and Facebook are announcing that they are compliant, it may seem like the GDPR is only applicable to large, global companies. However, small to midsize businesses (SMBs) that are conducting any type of European business, sales, marketing, HR or any other communication or relationships also fall under its mandate. When it comes to GDPR, firms of all sizes need to understand their roles and responsibilities in complying with the regulations.
Due to the GDPR’s lengthy provisions, there’s no “one-step solution” to achieve compliance. Because SMBs and larger enterprises are held to the same standard, below are four recommendations organizations everywhere should follow—regardless of both size and location:
1. Develop a data security strategy
Companies should be thinking critically and strategically when dealing with GDPR compliance since it’s vital to pinpoint where responsibility for data security lies early on. From there, organizations should develop a corresponding response strategy.
To help plan a privacy strategy, businesses can run a complete inventory to show the flow of data throughout its systems. Under GDPR, companies will be held responsible for the loss or mishandling of EU citizens’ data if there is a breach—even if they’re outsourcing the storage/handling of the data through a third party. Having policies in place in the event of data privacy issues will encourage accountability and maintain overall business agility.
Organizations should be prepared to employ companywide controls, policies and procedures for compliance through the help of the legal, IT and security teams. Chief information security officers (CISOs), in addition to the rising data privacy officers, can work together to help manage, direct and guide these teams throughout the entire process.
2. Hire a data privacy officer
One of the requirements of the regulation is to potentially hire a data privacy officer or data protection officer to help educate your business on GDPR, in addition to looming data privacy protocols. Organizations with more than 250 employees may be required to hire a data privacy officer. But even if GDPR doesn’t make a data privacy officer mandatory, designating an expert who can help implement a strong and successful data security strategy is a good idea. This person should be in charge of keeping members of the C-suite informed and up to speed on how personally identifiable information is being protected, and any changes in data privacy laws in each region where they do business.
Companies that don’t take hiring a data privacy officer seriously stand to lose a lot of money, on top of their reputation, if they’re fined for failure to comply.
3. Vet vendors
It’s equally important to ensure cloud providers also can comply with the new regulation. Businesses should be asking their vendors such questions as, how much personal data will go through this vendor? Where is it going to flow? How is it going to be stored? How is data deleted from the system? From a holistic perspective, are there any privacy strategies in place? Are they following or implementing proper policies and governance structures? Are their employees being trained on data privacy? All these questions, and others, need to be answered.
For SMBs, this step is even more important, as nearly 75 percent are overwhelmed by cloud adoption to begin with and need help in this transition period. Recognizing the right questions to ask cloud providers ahead of GDPR can help close the gap.
4. Keep tabs on data in motion
Businesses oftentimes focus on securing internal databases and servers without considering how their data moves from place to place. Since information is being shared within and outside the organization via the cloud, companies need to be able to track how that data moves and who has access to what information.
For example, if data is processed and stored within European Economic Area (EEA), that data may not leave Iceland, Norway, Liechtenstein and all other EU countries. That’s when certain mechanisms like EU Model clauses—an agreement between service providers and customers to ensure any personal data leaving the EEA will be transferred in compliance—come into play.
The best defense is a good offense
GDPR requires that any company doing business in the EU, no matter how small or large, needs to securely collect, store and use personal information. Just like the big guys, smaller companies also must pay for violations that may occur, even if noncompliance is accidental.
Although a year may seem far away, there’s no better time than now to start putting policies into place to ensure compliance. Microsoft’s recent commitment to GDPR compliance demonstrates the need to be proactive before it might be too late. Companies would be smart to follow in the software giant’s footsteps and act now to avoid hefty fines down the road.
More stories related to new data protection rules:
With no global standard for data privacy, laws outside U.S. differ in scope
SMBs need to bulk up security to protect against third-party risk
Privacy Shield aims to bridge EU-U.S. digital privacy gap, but question marks remain