The European General Data Protection Regulation (GDPR) will be enforced starting May 25th, 2018. That’s only 10 weeks away! Are you still scrambling to become compliant? You’re not alone. According to a survey by Solix Technologies, 22 percent of companies were still unaware they had to comply with GDPR as recently as December. The general consensus is that half of all US companies that should be compliant with GDPR by May 25 will not be.
Do you need to meet GDPR compliance? Most likely, yes. If you have an office in the EU or handle EU data in any way (including as a third-party vendor), you will need to meet the new requirements. Otherwise, you risk potentially extraordinary fines from regulators who will be looking to make an example of non-compliant organizations early on.
GDPR will be difficult to comply with. That’s partly because some of the definitions are too broad to be easily understood, but it’s also because GDPR demands accountability and mitigation against unauthorized data use or access at every stage of the data lifecycle. That’s forcing many companies to rethink their entire strategy in Europe–no easy task. This post outlines key considerations you need to make when determining your GDPR compliance strategy.
Understand what data will be affected by GDPR
“Personal” data means many things to many people. It could be anything from your name to your medical records, and everything in between. And in the case of GDPR compliance, that’s exactly what it means. Other types of data that must be protected include:
- Web data such as IP addresses and cookies
- Health and genetic data
- Race and ethnicity
- Political opinions
- Sexual orientation
- Basic information such as ID numbers, addresses, etc.
Once you understand what data needs to be protected, you can ensure the systems built around that data are compliant with GDPR requirements.
Designate employees to ensure continuing GDPR compliance
GDPR compliance requires companies to have a designated Data Protection Officer (DPO) if they process or store large quantities of EU data (although the definition of “large” is unclear), “regularly monitor data subjects” or are a public authority. However, some public authorities, such as law enforcement may be exempt from designating a DPO.
You’ll also need a Data Controller, someone who determines how the company’s data is processed and why it is being processed. They’ll also need to make sure any third parties are compliant with GDPR. See more about third parties below.
Ensure your third-party vendors comply with GDPR
As with most regulatory compliances, the onus is not just on you to be compliant with GDPR. Organizations must show that they as data controllers are compliant, as well as any data processors (e.g., cloud providers) they work with. This may mean spelling out responsibilities of each organization in the supply chain–from the data controller host, to the SaaS vendors, payroll companies, and cloud providers that work with them. Each must be able to show compliance with the rules for reporting data breaches under GDPR.
Because the scope of accountability is expanding, this may mean revising data privacy and responsibility contracts to address these requirements. If you or your vendor(s) should fall victim to a data breach, everyone must know how to respond appropriately in accordance with GDPR. If they don’t, you could face some hefty fines as a result of being found out of compliance. Organizations may need to carefully scrutinize their vendors and identify which ones require the most attention from an information security perspective. Does your public cloud provider require more or less management than your payroll processor? If so, how will you manage that relationship?
In addition, organizations must be able to clearly explain to customers (so no “legalese” contracts) how their data is being stored and processed. IT risk and governance teams will need to understand exactly how the customer’s data is being processed, stored and used so they can in turn explain it to said customer. This may mean a revision of client contracts, which can be anything from a fully signed privacy agreement to the “I accept the terms and conditions” click-through agreement on your website.
Readily purge anyone’s data upon their request
GDPR requires companies to have the ability to purge an individual’s data upon their request. This is known as “the right to be forgotten.” According to the Solix survey, 66 percent of companies say they are not sure they can permanently destroy data by May 25. Are you one of those companies? If so, you will need to rethink and address your data destruction policy.
However, it’s important to note that GDPR does not usurp other legal requirements, such as HIPAA. Data retention rates for that regulation must be adhered to first and foremost.
Pay attention to your mobile devices and platform
More and more organizations are working with mobile platforms and devices. That means a whole extra set of data security protocols that need to be addressed with GDPR compliance. If your customers can log into your application via a mobile device, the data stored there will also need to be compliant with GDPR. This could be hard to enforce because unauthorized employee use of applications is especially tricky with mobile devices.
Put a process in place for ongoing compliance
Any organization known for strong adherence to regulations understands that it’s not a checkbox to be marked off once a year and forgotten. Technology and business is always changing and evolving, and security policies should reflect those changes. Investing in creating a new app? It may need to be GDPR compliant. Shutting down a legacy application? How will you migrate, destroy or archive the data associated with it so that you remain in compliance? Creating an ongoing risk assessment plan and taking steps to make improvements to vulnerabilities or weaknesses will go a long way towards building up GDPR compliance and maintaining it.
Want to learn more about GDPR? Check out these helpful resources: