After two years of controversy and confusion, the era of the GDPR is about to begin. As of May 25, 2018, Europe’s groundbreaking General Data Protection Regulation will have the force of law in all 28 EU member nations, fundamentally changing the way businesses and government agencies deal with personal data.
Since the regulation was adopted by the European Parliament in early 2016, organizations around the globe have been working to understand what the law requires and how it will be enforced. Surveys on GDPR readiness indicate that many organizations still have a significant amount of work to do. In a recent study by Ernst and Young, for example, 40 percent of European companies and 87 percent of American companies responded that they did not yet have a GDPR compliance plan in place.
Whether your organization has been preparing for the GDPR for the last two years or is just getting started, now is a good time to assess how the law will affect you and what you’ll need to do in order to comply. The steps listed here can help you prioritize your GDPR activities and make sure that your data is an asset rather than a liability when the law takes effect.
For more information on specific GDPR provisions and the fundamental concepts behind the regulations, read our GDPR whitepaper, Data Protection by Design.
Determine Your Standing
If you do business in Europe, chances are that the GDPR applies to you. Unlike the patchwork of data privacy and security laws that came before it, the GDPR will apply equally to any organization that collects or processes the personal data of EU citizens, whether or not the organization is based in the EU. This includes companies in the UK (which is still part of the EU until the Brexit process is complete), as well as in the Americas and elsewhere.
It’s also important to know whether your organization is considered a “data controller” or “data processor” under the law. Data controllers are organizations that make decisions regarding what information will be collected from EU citizens and how the data will be used, while data processors simply process data on behalf of data controllers. This may be a complicated analysis for some organizations, as a single company can be both a data controller and a data processor, and can have several different controller-processor relationships with different business partners.
Appoint a DPO
If your organization is required to appoint a Data Protection Officer and hasn’t already done so, now is the time. Your DPO will be responsible for a wide range of activities related to GDPR compliance, including internal audits, employee education, and communications with data subjects (the EU citizens whose data your organization collects or processes).
Your Data Protection Officer will also be responsible for maintaining your organization’s relationship with the GDPR Supervisory Authorities who enforce the law in the countries where you do business. This includes routine reporting as well as required notices in the event of a data breach.
Assess Your Policies
In the post-GDPR world, organizations will need to tread carefully when gathering data on websites or through other channels. Data controllers are required to obtain permission that is “freely given, specific, informed, and unambiguous” in order to collect or use someone’s personal information. The law imposes even more strict consent requirements for collecting data on children, and for collecting health information and other forms of highly sensitive data.
Organizations will also need to have a process in place to receive and comply with requests from data subjects who want a copy of their personal data or who want to exercise their “right to be forgotten.”
Assess Your Data
The only way to be sure that your organization is meeting its data protection compliance obligations is to understand exactly what types of data you have, where data is located, and how it’s being protected. GDPR compliance requires a data-centric approach to cybersecurity, incorporating each of the following activities:
- Discovery: Personal information, like any data, has a way of traveling beyond its intended location. In many organizations, sensitive data is routinely extracted from databases and saved on desktops, file servers, and other locations where security administrators have limited visibility. Intelligent data discovery tools can scan these locations and find sensitive information that requires protection or other special handling under the GDPR.
- Classification: Files containing personal data or other sensitive information should be tagged with metadata that indicates what type of information is in each file and how the file should be accessed and handled. Classification tags also make reporting on data easier and more accurate.
- Protection: While the GDPR does not specifically require encryption for personal data, it does strongly recommend it, and also provides exemptions for organizations that use it. In the case of a security breach, for example, an organization is not required to send breach notifications if the stolen data was protected by strong encryption. Depending on an organization’s compliance needs, some data may also need to be protected by quarantine, masking, or deletion.
Perhaps the only thing that’s certain about the GDPR is that no one knows exactly what’s going to happen after May 25. How many companies will exit the European market rather than deal with GDPR requirements? How many people will want to exercise their right to be forgotten? How often will supervisory authorities impose the maximum penalty for noncompliance?
As we approach the law’s effective date, watch for new guidance from the EU’s GDPR working group and from the supervisory authorities your organization will work with. And be sure to check back here regularly for best practices on data protection and tips on how to build customer trust while meeting your compliance obligations.
PKWARE solutions can help you stay compliant with GDPR regulations. Learn more about our compliance capabilities.