In just a few short weeks, more than two years after being approved by the EU Parliament, a strict new regulation designed to protect personal data used for business purposes in the EU — the General Data Protection Regulation (GDPR) — will become effective.
This requires any organization in any location to adhere to specific rules when processing (i.e., collecting, using, storing, sharing, or deleting) any personal data related to any EU activities. It also, as many well know, can result in substantial penalties for noncompliance. These can include fines of up to 20 million EUR or four percent of an organization’s global annual revenue.
While some noncompliant organizations outside the EU may be able to avoid these (due to difficulties in enforcing EU law), those in countries whose governments are sympathetic, like the United States, may be forced to pay.
If your company is among those required to comply, are you ready? If not, here’s a quick snapshot of the GDPR and recommendations for reducing your risk.
For those not fully familiar with GDPR, its underlying premise is that data protection and security should be the first consideration in all business applications and processes. Its mandates therefore include (but are not limited to) the following:
- Companies must include “privacy by design” in their security strategies. This means data processing practices must be designed so that an individual’s rights are protected by default.
- To collect data, organizations must record all consent from individuals; also, blanket consent or consent by inaction is no longer permitted.
- Organizations must collect only the data that’s needed, particularly when an individual consents to its use; additional data cannot be collected and stored for unrelated analysis.
- Once data has been obtained, organizations will be held accountable for protecting it at rest, in transit, and in use. They must also have auditing capabilities to know who accessed the data, where, and when.
- Should a breach occur, organizations must notify authorities within a certain time frame.
Key components for individuals
For individuals (or “data subjects”), GDPR protects their rights as follows:
- Eliminates “opt out” consent, as noted above
- Requires parental consent to store any data related to children
- Provides the right to rectification, as well as the right to ask for and obtain their own data that’s being stored
- Provides the right (in some instances) to be forgotten; this means organizations are responsible for deleting data themselves and for advising any partners or suppliers they’ve shared the data with to do the same.
- Provides the right to request that one’s data be moved to another organization/system (right of portability), and, in certain cases, organizations must comply.
How organizations can reduce their risk
If your organization is among those required to comply with GDPR, but isn’t yet ready, you can reduce your risk of penalties by a) documenting any steps taken toward compliance and b) developing a comprehensive plan to achieve full compliance in reasonably short order, which can be made accessible to regulators upon request. This will show your willingness to comply and serve as a record of ongoing and future progress should a breach occur. Companies should also keep a roadmap of any additional risks encountered and mitigation steps taken.
Other ways of avoiding penalties include reviewing key areas of GDPR, such as designated procedures for data breaches, and either changing security configurations or putting other mitigating processes in place (e.g., employee training or reductions in data use) until full compliance is achieved.
Companies not in full compliance by May 25 can also minimize marketing efforts toward people in the EU. This is because direct consumer marketing now requires consent under GDPR, with requirements that are fairly narrow. Here, the best approach is to determine the correct course of action before proceeding further.
Other steps include:
- Hiring or appointing a data protection officer (DPO) where necessary, but, at the very least, having an effective privacy governance structure in place — asap — with an accountable leader appropriately qualified, resourced, and funded. It should also be noted that while a DPO is recommended for all, it’s actually a requirement for any organization that processes data on a “large scale” or special categories of data. It’s also required if processing is done by a public authority.
- Classifying data. That is, identifying which is PII. PII is anything that allows someone to identify (either directly or indirectly) a person via name, children’s names, location data, cookies, IP addresses, etc. In doing so, note what data is being collected and why. The GDPR specifically requires organizations to maintain a catalogue of all personal data they process, and note why and how they process it and who they share it with.
- Evaluating the data and identifying the most vulnerable (highest risk) from a security standpoint.
- Completing a Privacy Impact Assessment to document the data protection lifecycle, from collection through destruction. This should include a data details such as type (e.g., historical or current), location and storage method, the names of those who can access it, what it’s being used for, and whether it’s being shared with another person or entity. Also, note how data is being protected, or will be.
For more details on how your organization can achieve regulatory compliance in this and other key areas, please contact us at msigts.com
For an expanded version of this article, please visit LinkedIn here: http://ow.ly/Jbrw30iDRUt
By Gayle White, director, Business Process Management, MSI Global Talent Solutions