On May 25th, 2018, the General Data Protection Regulation (GDPR) becomes enforceable under law in the European Union (EU). It fundamentally changes how businesses (and the public sector) must handle information relating to their customers, giving greater protection to individuals and harmonising the laws for data-handling across the EU.
So, if this is an EU law then, as a non-EU organization, should you be concerned? This is a frequent question in articles, at events and in presentations. The simple answer for most international companies is YES.
If you are a small, non-EU business that’s never dealt with, or shipped to, anywhere outside of your home country or non-EU region, then it’s possible that GDPR will not be a concern. However, if you have just one single EU-based customer, partner or employee, then you’ll need to become compliant. GDPR has a different focus to previous data protection laws and ensures protection of Personally Identifiable Information (PII) related to an EU citizen, regardless of where in the world this data might be stored.
Compliance with GDPR is essential for any organization doing business inside the European Union, but it is equally important for any global, non-EU business that wants to do business with individuals and organizations within the European Union. So, with that in mind, what steps should you be considering?
Depending on the kind of data processing you are doing that relates to EU citizens, you may need to put someone in charge of data compliance. Under GDPR, this person is known as the Data Protection Officer (DPO) and is responsible for ensuring that your company is securing EU citizens’ data correctly. The DPO will also be overall responsible for the process that achieves and maintains your compliance. Without a DPO, the risk is that you’ll finish up failing to comply, as internal battles will likely prevent effective decisions from being made. Criteria for appointing a DPO and more guidance on the role can be found here.
By looking at data compliance more seriously, you can assess where data protection best practice will help. It’s worth bearing in mind that there are 99 GDPR articles in the current documentation, and so I’m going to propose just three important areas – should you be interested in reading the complete legislation, it can be found here.
- Encrypt data. This may seem obvious, but it’s worth taking the time to review what you encrypt and where it is. This will likely mean running a full data audit, but as we know, since data does change value over its lifecycle, an audit will have benefits beyond just knowing ‘what’ to encrypt, you will also learn what data is being held and whether it can be archived or even deleted. This is also not just about encrypting data at rest, also consider data in motion and network data protection methods. The latest encryption and CASBE tools will mostly likely be a great help here.
- Make sure you know who is accessing data, from where, and when. With demands for 24x7 any-device access to online resources, it is very important to put these controls in place and reduce the risk of unauthorized access. At the same time, make sure that employee secure access methods are robust with good, regularly changed, passwords and multi-factor authentication in place. However, this just covers user access to data. You will also need to look at what is accessing data. Many organizations have third party connections in place with partners or other applications. These will need to be continuously monitored for ongoing GDPR compliance. Even if you outsource services to 3rd parties, e.g. payroll, anything involving EU citizen data remains your responsibility.
- Establish an incident response process. Under GDPR, if data is breached, you need to notify the local Data Protection Authority that this has happened – and in most circumstances, the notification has to happen within 72 hours of detecting the breach. Effective incident management will put you in a stronger position, should a breach occur, to understand what happened, the impact and how to mitigate. The breach will still have to be notified to the relevant authority, and you may have to contact individual customers to let them know, but an efficient and clear response process will speed this up and may help to mitigate reputational, brand and even financial damage.
To summarise, it’s certainly great business sense to ensure that data is well protected. GDPR is a legal framework that describes how data related to EU citizens must be protected, but as such does it not make sense to consider data best practices and better protect all the personal data you hold?
GDPR gives an opportunity to provide better data protection today, better data protection provides confidence to your customers. Take this opportunity to be ahead of the game. If you would like more information, tips and resources on preparing for GDPR please visit www.juniperemea.net/gdpr