RSVP to GDPR – Your compliance is required
Even though it may seem less like an invitation and more like a jury summons, the General Data Protection Regulation (GDPR) is not all doom and gloom. Instead of thinking of GDPR as an intimidating event where your presence is mandatory, see it has an opportunity to build trust with your customers while abiding by the law.
Complying to GDPR requirements ensures that the level of security and protection your organization has in place is ready for the digital era. But, who’s ready to attend the GDPR party? According to recent reports, almost no one. So as businesses race to check all the boxes for GDPR compliance, we’ve broken down exactly what you’re RSVP’ing to.
Who – GDPR requires all businesses operating within the European Union, or that deal with EU citizens’ personal data, including name, identification numbers, location, etc., to obtain explicit consent to collect and use this data and to notify citizens in the event of a hack or a breach. To ensure their continual access to the EU market, organizations – especially financial institutions, need to invest in compliance. By appointing a data protection officer to oversee data security businesses can make sure they are reviewing all information entering and leaving the organization.
What – With a record number of breaches occurring just in the last year, personal privacy rights are top of mind for many organizations. Organizations now experience increased responsibility for protecting the personal data of their customers. The goal of GDPR is to protect and enable the privacy rights of individuals thus providing citizens with more control of their data. These regulations have been established to enforce stricter global privacy requirements that will govern how organizations manage and protect personal data while respecting individual choice—no matter where data is sent, processed, or stored.
To comply, organizations will need to update and deploy highly transparent privacy policies, strengthen data protection controls, and further invest in IT and training. Furthermore, these organizations will now be mandated to report hacks to those affected in an event of a data breach. Organizations who do not comply by the May deadline could incur significant penalties. Whether an organization intentionally or inadvertently fails to comply, they could be slapped with steep sanctions and incur substantial fines – up to 20 million euros, equivalent to 24 million US dollars, or four percent of global turnover from the previous year.
Where – While GDPR is primarily focused on companies operating in the EU, that doesn’t mean organizations outside the EU are exempt from compliance. All businesses that deal with the data of EU citizens, which includes organizations that offer goods and services to people in the EU that collect and analyze data tied to EU residents, no matter where those businesses are located, must comply to the regulation. That means if you’re a US-based company doing businesses within the EU (think: any major global corporation) you’re still required to comply with GDPR.
When – All businesses must comply with GDPR by May 25, 2018. The GDPR framework was adopted by the European Parliament in April 27, 2016 and provisions will be directly applicable in all member states two years after this date.
Why – As technology continues to evolve and serve as a catalyst for both individuals and organizations to become more efficient, it also adds a new layer of complexity to the world we live in. With the rapid rate of innovation there have been challenges and public debates surrounding how organizations govern technology and the data it produces. Because connected devices and services are providing organizations with valuable data on individuals that allow them to create new opportunities to personalize service and drive new business models, this has elevated security and privacy concerns. Over the years as organizations have gathered data across multiple IT systems and stored it on desktops, mobile devices, on-premise servers and “in the cloud” there has been varying levels of security and compliance. With GDPR it doesn’t matter where data is created, processed, stored, managed and protected on; it holds your organization to the same standard across all your IT environments. This helps protect the privacy of customer and insure their trust.
How – To complete the compliance process, organizations need to identify, classify and label personal data at the time of creation or modification, which will be logged for use in – and only in – that organization. Then they need to identify a solution to manage the classified data and automatically enforce governance actions, such as revoking the ability to share. Once these steps are completed it will be up to the business to monitor how the classified content is used and taking the necessary reporting steps when people attempt to access shared documents without authorization.
The key to a smooth road to GDPR compliance lies in adopting the right technology and designing the right policies and procedures. The best option will be a proven technology that complies with industry standards and that provides proper encryption to ensure safe transit and storage of data and render it useless to hackers in the event of a data breach. At the end of the day the simplest way to complete your GDPR compliance journey will be by adopting a platform you can trust and will ensure all the appropriate controls are in place, so you can keep the party going.