In 2016, the European Parliament enacted a regulation called the General Data Protection Regulation (GDPR). The regulation was created to standardize how companies protect personal data. Although it applies primarily to EU citizens, the rule also touches on exporting data outside of the EU.
Whether your organization is inside the EU, doing business there, or you just want to iterate on data protection best practices from around the world, here’s how to determine whether your organization is GDPR-ready.
Who Needs to Meet GDPR Standards?
You’re required to meet GDPR standards if your organization is based in an EU member state. You’re also subject to the regulation if you collect or process data from people residing in EU member states, or if you market goods or services to EU residents. The “data” being referred to includes names, addresses, photos, email addresses, online posts, and IP addresses.
What the GDPR Comprises
The GDPR addresses several modern data security challenges. The overarching goal is to standardize data protection practices in a number of key areas. These include:
- Consent for data processing
- The anonymizing process for data collection
- Notifications around data breaches
- Frameworks for cross-border data transfers
- Data erasure
- Data protection personnel within organizations
Some Notable GDPR Requirements
The scope of the GDPR is large, and depending on your organization’s size and location, different rules will apply. The following are some notable GDPR requirements your firm should consider:
- One-stop shop - EU member states will establish an independent Supervisory Authority to investigate complaints, sanction offenses, and provide accountability for non-compliance. The authority acts as a one-stop supervisory shop, and the purpose is so that a single set of rules applies to all members.
- Pseudonymization - When data undergoes a process that makes it unattributable to a specific subject, any decryption keys have to be kept separately from the data. Pseudonymization is recommended to mitigate risk.
- Data breaches - Data controllers are obligated to report any data breaches to the Supervisory Authority within 72 hours of becoming aware of it.
- Right to erasure - The right to erasure was adopted so that a data subject can request the erasure of personal data.
- Records of processing activities - Records of all processing activities should be maintained and available upon request to the Supervisory Authority.
How to be GDPR Compliant
If you plan to be GDPR compliant, you have until May 25, 2018 to meet the EU’s deadline. If you’re required to comply, you’ll face fines if you don’t meet this deadline, plus whatever reputational damage non-compliance may cause. Here are the steps you can take to make sure you’re GDPR compliant by the deadline:
- Appoint key compliance personnel - The GDPR requires companies to maintain data controllers, data processors, and a data protection officer. Individuals with these roles are responsible for defining how and why data is processed, overseeing data security, and ensuring that everyone maintains compliance.
- Plan financially for the GDPR - Surveys indicate that most companies based in the US will spend between $1 million and $10 million to meet GDPR requirements. A small percentage of companies plan to spend in excess of $10 million. Depending on your company’s size, GDPR compliance will require a significant part of your budget.
- Assess your data sources - Where does your data come from, and where are the access points for data retrieval? You should plan to have a comprehensive overview of this landscape, to understand how and where your data is being used. Part of this overview comprises understanding your vulnerabilities, and potential spots for exposure to breaches.
- Lay out a plan for data protection - If you have a data protection plan in place, evaluate it with an eye toward GDPR compliance. If you don’t yet have one, now is the time to create this plan. Document your privacy rules, and map out a strategy for fixes, troubleshooting, and protection implementation. You may need to define roles for future GDPR governance, and map out where they belong within your organization. Understand how forecasting and analysis will be calculated, and plan for continual risk assessment.
- Communicate your data protection plan - Notify all stakeholders of the upcoming GDPR requirements, and communicate what you are doing to be in compliance. You may want to establish a GDPR task force to uphold accountability.
- Hire outside resources if necessary - If your firm is too small to handle infrastructural changes and scaling requirements, hire outside help. Whether it’s an IT security consultant, a compliance attorney, or a change management expert, there are teams and individuals who will be better equipped to help you. These experts may run through incident response drills or test your IT systems so you can streamline your response and reporting procedures.
One major part of compliance is maintaining business continuity, no matter what emergencies arise. For information on Blackberry AtHoc’s networked crisis communications platform, contact us today.