Is your company interested in being GDPR compliant? Should it be? An important part of GDPR compliance is the ability to ensure the ongoing confidentiality, integrity and availability of processing systems and services. It is also critical to be able to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
The European Union (EU) General Data Protection Regulation, or GDPR, is setting a new standard for consumer data privacy. It became effective May 25, 2018. Under the GDPR, it is important to know where your data is stored, how it is encrypted and where it is retained. GDPR has numerous changes from the existing law that affects how EU personal data should be handled and may impact every department across many businesses worldwide. It impacts any organization that processes EU personal data for itself or on behalf of others, as well as suppliers and other third parties that may process EU personal data for organizations.
If you operate a U.S.-based multinational enterprise doing business in the EU, you’re are likely extremely aware of GDPR. You may also be painfully aware that you are not ready for the impending compliance requirements to protect Personally Identifiable Information (PII). For U.S. businesses doing business with clients in the EU, GDPR’s emergence signals the time has come to do a thorough data management systems check and an information management audit. All systems and software are important considerations when looking to meet the requirements of GDPR, and should be part of adopting a robust organization-wide approach to GDPR compliance. Examples of personal data include name, email address, phone number, physical address, device identifiers like IP addresses, geolocation information, health information, financial information, age, date of birth, and more. Despite the fact that data — such as an individual’s name or email address — might be available through public searches or other public records, it may be considered personal data that must be protected under the GDPR.
Being GDPR Compliant
GDPR requires organizations to inform individuals of high risk data breaches, in addition to notifying the relevant data protection authorities. In the push to be GDPR compliant, a few key goals are present.
Data Flow Audits: Data flow audits enable you to identify the information in your enterprise and how it moves from one location to another, such as from suppliers to clients. You should have conducted, or be planning to conduct, a data flow audit as part of your initial GDPR compliance steps, but it’s important to repeat the process consistently to account for unforeseen or unintended uses of critical business data. A third-party audit or risk assessment may be the better choice for some companies, while others will have in-house resources capable of handling this task. The outcome of an audit should include recommendations and actionable steps that mitigate risks and improve compliance.
GDPR Dream Team: Create a team dedicated to the GDPR transition. Ideally, this team will include representatives from each business unit. These team members can then serve as a department liaison for all questions and updates on GDPR compliance or issues as they arise. This dream team includes a Data Protection Officer.
Support Workforce Awareness: GDPR states that employees need to be enrolled on regular information security staff awareness courses. This should already be common practice in your organisation, but it’s essential that staff complete these courses during their induction and repeat them at least once a year. Courses should also include information on the GDPR’s requirements and how employees can comply with them. Companies should work to present a comprehensive GDPR awareness program that addresses everything that employees need to know. Many find it easier to turn to third-party providers for guidance on information security best practices and GDPR staff awareness training strategies. It is important to place an emphasis on risks, such as fines and reputation damage, that the company will incur for non-compliance.
Emphasize Breach Identification Best Practices: Since GDPR requires a 72-hour reporting time frame for breaches, employees should be knowledgeable about how to identify suspicious activity that may indicate a breach has occurred, as well as the processes for notifying the Data Protection Officer immediately. This gives the company some time to verify if a breach has taken place and issue the appropriate notifications.