The hottest topic in IT across Europe right now is the new General Data Protection Regulation or GDPR. But what do you need to know about this new regulation? With the purpose of the GDPR reforming the way data is both handled and protected, the effects are far-reaching and the fines are substantial.
A lot of people have been talking about the GDPR since it goes into effect May 25th, 2018. However, despite the 28-member states of Europe having had 2 years to prepare, only Austria and Germany are currently prepared for the new regulations according to the European Commission.[1] In London, one in four companies weren’t even aware of the new regulation as of the end of January. [2]
Additionally, the insurer Chubb has warned that companies in France are also simply not ready; many are just starting to prepare for it.[3] According to Forrester analysts in early February, “just a quarter of organizations across Europe are thought to be GDPR compliant already, while another 22 percent expect to be GDPR compliant in the next 12 months.”[4] But 12 months puts them well past the deadline.
The GDPR reforms the way data is both handled and protected and will have far reaching effects and potentially substantial fines. Free trade agreements are even becoming subject to these privacy and protection standards, leaving Europe as the standard maker for data protection worldwide.[5]
The design of the GDPR requires following it entirely — failure to follow part is considered failure to follow it entirely.
Among various changes and upgrades, the new regulation is designed to require quicker reporting of security breaches (within 72 hours), clearer consumer consent (it must be “freely given, specific, informed, and unambiguous”—which means no more legalese among other things), and give EU citizens greater control over their personal data (including the “right to be forgotten” and to move their data to another controller in a commonly readable format). It also includes stiff penalties for noncompliance, with fines up to €20 million (or 4% of worldwide revenue, whichever is higher). Unless you’re one of the few companies ready for the GDPR, it’s time to prepare— and quickly.
Here are 6 steps to help you get ready for the May 25th deadline
1 – Conduct a risk assessment.
Know what your company’s data protection plan is and discover what areas need work to appropriately protect and secure client data. Many companies are holding data that is not used within the company or organization. If you don’t need to have the data, then don’t collect and hold it.
2 – Create a data protection plan
Create a data protection plan that complies with the new regulations. Organizations can do this internally or hire external experts to help craft and interpret the regulations for their unique organization.
3 – Hire or assign a Data Protection Officer (DPO)
Hire a DPO if required for your company according to the GDPR guidelines. If you don’t have this position, you can hire an outside consultant to meet the requirement.
4 – Implement measures to mitigate risk
Implement measures to mitigate risk to data in addition to those required by the GDPR regarding customer consent and access to their own data. Work with marketing and other departments to understand the data collection and usage. What tools are in place for removing data and option for consent.
5 – File a Record of Processing Activity (RoPA)
Indicate your organization’s intent to comply with the GDPR.
6 – Test your incident response plan.
An incident response plan is a living document that needs to evolve with an organization. Just like a physical emergency plan, a virtual emergency plan is critical for all key stakeholders to know what to do, and how to do it within a short amount of time. Time matters for all emergencies.
The design of the GDPR requires following it entirely — failure to follow part is considered failure to follow it entirely. Since some of the areas of the GDPR are somewhat confusing and up for interpretation, being able to demonstrate intent to comply may save you from higher penalties. So, if you still have questions, getting assistance is a great idea.
Work with a Cybersecurity and compliance company and get expert advice on how to meet the upcoming deadlines. Remember that GDPR compliance is a minimum standard that all should uphold. Be compliant and use the regulation to help your organization learn how to better safeguard and handle the use of privacy data. It’s a serious issue that now has teeth and a timeline.
[1] as of late January. https://www.irishtimes.com/business/technology/european-commission-says-only-two-member-states-ready-for-gdpr-1.3366966
[2] http://www.cityam.com/279164/quarter-london-businesses-unprepared-new-data-laws-says
[3] https://www.strategic-risk-europe.com/gdpr-readiness-low-insurer-chubb-warns/1426319.article
[4] http://www.zdnet.com/article/gdpr-these-are-the-organisations-which-are-least-prepared/
[5] https://www.politico.eu/article/europe-data-protection-privacy-standards-gdpr-general-protection-data-regulation/
Recent Comments