The noise around the General Data Protection Regulation (GDPR) has been unavoidable, and for good reason. GDPR is coming into effect in a few short days (May 25 to be exact). The large fines associated with not complying with the regulation have encouraged organizations to prey on the large number of businesses that are unprepared. Everyone claims to have the one cure-all solution that will solve the compliance challenge.
The truth is, there’s no universal remedy. However, there are a few steps an organization should take to ensure that they are ready for GDPR outlined below.
While GDPR is a change for the better, the process of gap analysis and redress with documented strategy and implementation of process, procedure, best practice and technology can be easier said than done. Many organizations will struggle to hit every step to truly be compliant. For a better understanding of the regulations, the UK Information Commissioner’s Office (ICO) is an independent source that covers all the details. This is a great resource considering the ICO will be auditing UK companies for compliance once GDPR is in effect.
With all the panic-inducing articles around GDPR, it’s hard to imagine it being a good thing, but it is. It’s no secret that our world is becoming more digitized. It’s possible to do nearly everything from the comfort of your home with access to the internet. Even when we do decide to venture from home, nearly anything you could imagine has been automated and is being conducted online. Most of these luxuries rely on consumer’s willingness to freely give out credit card numbers, medical ID numbers, passwords and more. All the while, valuable information is handed to unknown individuals or organizations that are expected to keep it secure.
GDPR was created to ensure that giving personal information out is no longer a gamble. Personal data is exactly what GDPR aims to protect. Not only will the new regulations protect customer data, they will allow customers to own the way their data is stored and processed. Consumers can request to see their data at any time or ask that any or all their data be permanently deleted. Customers will now own the rights to their data. This is a gamechanger and will eliminate the need to question the ulterior motives of every form filled out.
GDPR requires organizations that collect European Union citizen Personally Identifiable (PII) data to be compliant.
Step one: Admitting you have a problem
Every business will undoubtedly need to assess their data and take steps in the right direction to prepare for GDPR. For some organizations, it may be a slight change to tie up loose ends. For others, it might end up being a heavier lift. According to a recent survey by Vanson Bourne, 24 percent of surveyed companies were not aware of GDPR or its implications. And of those that were, 17 percent had no plan to become compliant. Remember, GDPR applies to any organization that controls or processes any PII of EU citizens, irrespective of their geographical location
Step two: Assess the situation
The most important part of becoming compliant is analyzing the data. A business needs to have eyes on everything to know where their weak points exist. What data does the organization have on hand? How is the data stored and processed? Where is it stored? Who has access to it?
If there is data being stored that is irrelevant to the business, it should be deleted. Everything else needs to be run against the test of compliance. Has the subject consented to the collection of this data? Is it easily deleted? Is it easily accessible to provide upon request?
Step three: Protect the data
Once there is a full understanding of the data, the next step is to protect it at all costs. This includes security for data at rest and data on the move.
This part can be a challenge for many organizations because GDPR requirements do not explain how to protect the data, just that it needs to be protected. One instance where GDPR goes a step further is in Article 32, which requires “the pseudonymizing and encryption of personal data”. Although this seems obvious, there have been countless instances where encrypted data has been at the center of a data breach. For example, the Queen of England was the victim of a data leak when security details on an unencrypted USB drive were found outside Heathrow airport. Article 34 also states that in the event of a breach where the data had been encrypted, there will no longer be a requirement to notify each data subject, saving organizations on administrative costs. Essentially, applying encryption to all personal data within the organization would protect you across the board.
Step four: Educate
The last step is to create an employee education and awareness program. Corporate data is increasingly being accessed from mobile devices in various locations. Every single employee needs to be held responsible for the data they are accessing outside of the organization. They should be following the corporate data protection policy and fully grasp their role in the protection of the customers’ data.
The previously mentioned survey found that 48 percent of the surveyed companies said employees are their biggest security risk. That’s nearly half of the organizations revealing that they don’t trust their own employees’ understanding of data protection. And 44 percent expect that their employees will lose data and expose their organization to the risk of a data breach. This presents an obvious way to prepare for GDPR. Equip the workforce with the right training and tools to understand GDPR and what their obligations are under it.
With GDPR in place, organizations will be required to secure all personal data and will be audited against their ability to deliver. Individuals will be more aware of what rights they have to their data and have a bigger presence in handling of it. Consumers can expect companies to do everything GDPR mandates.
GDPR effects everyone, it’s time to embrace the change. Consumers should hold organizations responsible for the way their data is treated, and businesses need to take this opportunity to get their houses in order.