The European Union is, for the first time, trying to create a global standard for regulating how data is viewed and secured. To this point data privacy has been fragmented. The Global Data Privacy Regulation is a set of standards outlining minimal data privacy requirements that is being enacted by the European Union, going into effect the 25th of May, 2018.
The GDPR regulation attempts to safeguard an individual’s private information and has severe monetary and other business-crushing penalties for non-compliance. Countries have previously approached this topic on their own, but with the world becoming more interconnected many feel the idea of a more global privacy standard is warranted. Whether you agree with the GDPR or not, it is taking a strong approach to a complicated global topic.
Can the GDPR regulation mandate stewardship and good behavior in the corporate sector?
The European Union is the first to attempt this global standard because they believe data protection is a right. The United States, on the other hand, has not stepped up to protect data as a right in the same way the EU has. If life, liberty, and the pursuit of happiness is guaranteed… where does your right to data privacy fall?
Make no mistake, the GDPR standard will affect the way US businesses conduct business and how they view data. If a US business markets to or does business with citizens of the EU then they are held to the regulation. If a website is accessed by anyone in the EU, if the site has a European Union URL, or it’s translated and targeted to a European Union audience the company will need to comply.
With 28 countries currently in the EU, this applies to small companies like a boutique purse manufacturer as well as high-powered tech companies like Google and Amazon. It will be interesting to see where the line of reach will be set for the regulation and whose shortfalls will be the initially publicized cases.
The regulation is attacking the issue from a risk-based data governance position. Organizations should look at the data they collect as a stewardship of the information.
The GDPR is a minimal standard to start making organizations address the issue of privacy and data.
Here are 8 main ideas contained in the GDPR that deserve your attention
- Data Collection: What data do you have and where is it being stored?
- Legal Basis: Do you have a legal basis or legitimate organizational use for collecting the data? Does the language of your terms and conditions comply with the new regulation requirements?
- Data Protection Impact Assessments: Are you currently protecting the data that you are collecting?
- Data Governance Program and System: Do you have a system in place that addresses data at each step of its lifecycle?
- Data Retention and Reporting: Do customers or clients currently have the ability to erase their data entirely? How about erasing the data from a third part affiliate?
- Security Breach Response: Does your organization have a 72-hour response plan in place for a breach? Do you know whom that breach needs to be reported to? Do you have a contact or relationship with law enforcement?
- Vendor Management: Can your organization be sure that vendors are secure and managing data properly as well?
- Data Portability and Transparency: Can your organization give a client their data in a readable format if they reverse their consent for you to have their data? How does your organization disclose indirect data collection?
Can you answer these questions with confidence and accuracy? If you can’t… you need to seriously consider the strategy and people that need to be tasked with understanding your stewardship of client’s personal data.
For more information, and a quiz to help answer some of these questions, please visit our GDPR Training page. We have specialized GDPR training available in off-the-shelf format as well as role-based training for specific departments:
- Human Resources
- Information Technology
- Legal and Compliance
- Sales and Marketing
- Software Developers