In April of 2016, after four years of debate and preparation, the EU Parliament approved the GDPR (General Data Protection Regulation). This landmark regulation was designed to protect data privacy, access and provide a way for EU citizens to seek damages should they suffer from misuse or breach of their data.
This regulation affects any company that does business with EU citizens, regardless of where that company is located. Among its components are:
- Mandatory breach notification. Data processors must notify their customers and business partners within 72 hours of becoming aware of any data breach.
- The right for customers to obtain confirmation on how and where their personal data is being processed, and for what purpose
- The right for customers to have their personal data “forgotten” or removed from electronic data (under certain conditions)
- The right for customers to receive their own personal data, and a right to “data portability,” or the ability to easily transfer information between service providers
- Privacy by Design. Data protection protocols need to be in place before a company collects personal information, and also limits who at the organization can access that data.
- Data Protection Officers. Certain companies must appoint an officer in charge of all data protection and privacy issues, and follow certain internal record keeping requirements.
What you need to do now
According to research and advisory firm Gartner, most companies are not ready for this change. In fact, Gartner predicts that more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.
Unfortunately, if a company doesn’t adhere to the GDPR regulations, they could face a HUGE fine. Here are a few areas you’ll want to take a closer look at:
Are you a controller or a processor?
The regulation breaks out responsibility for protecting data into two roles: controllers and processors.
Which one are you? A “controller” is the person, business or public authority that “determines the purposes and means of the processing of personal data.” The “processor” is the person or organization that processes the personal data on behalf of the controller. In other words, the controller is the one who uses the information and the processor gathers it on their behalf.
Or, in an example given in an article on the website gdpreu.org, “If Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity, then with regard to such email activity data, Acme Co. is the data controller, and Email Automation Co. is the data processor.”
Some companies are both. You may want to seek legal advice to ensure your role is properly defined.
Audit your data
Per a recent article on informationweek.com, auditing your data, while time-consuming, can have numerous benefits. The article suggests you “Find out what data you have, where you have it, why you have it, how long you need it and any current processes for deleting it.” Since information may have to be deleted, shared and immediately accessible, enabling a single view of all information, and where it is stored, can be a vital time and cost-saving measure.
Conduct a Privacy Impact Assessment (PIA)
You will need to assess how customers’ personally identifiable information (PII) is collected, used, maintained and disclosed to ensure it is protected adequately. As shared in an article at gdpr.com, “The PIA should be conducted throughout the development lifecycle of a system, but especially before you even start collecting the data. When risks are identified, the GDPR expects you to employ measures to address them, such as encryption, continuity plans or backups of the data.”
Remember, it’s not just about having a secure system. The real trick is in controlling who has access to the information and how it can be used. As stated in the same article quoted above, “security is about who has access to the data, privacy is about what you do with the data you have access to. Assuming security is good, the main risk will be the way in which you use the data.”
Let an expert help
At Single Path, we’re well known for “providing accountability for technology from the start.” Our team will work with you to put the processes and protections in place to ensure you are compliant with the GDPR, and any other regulations or requirements. From storage to security, we have the experience and resources to collaborate, educate and connect you with the tools you need.
Don’t risk a large fine from a lack of compliance. Let Single Path help you take the steps now to ensure you’re ready by May 25.