The GDPR is right over the horizon. Enterprise companies only have weeks to go before it goes into full effect, so here are five quick IT compliance ideas to get ready for GDPR standards.
The Global Data Protection Regulation (GDPR) is finally on the horizon. On May 25 2018, the GDPR will take full effect, overhauling data privacy laws across the entire European Union and ensuring data subjects have tighter control over the sensitive information gathered and processed by enterprise organizations. If your company processes the personally identifiable information of European Union citizens, you need to comply with the GDPR’s new rules or face potential fines of up to 20 million Euros or up to four percent of your organizations' annual turnover, whichever is higher.
With only weeks to go until the deadline, time is of the essence. So, here are five quick IT compliance tips to help companies prepare:
1. Hire a Data Protection Officer (DPO)
Your company may not require one, but in general the GDPR requires a designated DPO for data compliance if said organization processes demographic data or is in a highly regulated industry. You’ll need to check with legal to find out if your business needs to appoint or hire a DPO. However, information technology employees within your organization may not be familiar with the processes and technology regarding GDPR compliance, so hiring a third-party from the outside can still be a good idea. Find the right supervisor who can monitor and report on the right issues with your organization and you’ll be on your way towards GDPR compliance.
2. Create a Roadmap and Inform All Departments
The DPO will help write a roadmap or checklist that can identify the processes, technologies, and training necessary to comply with the GDPR. And it’s not just the IT department that is responsible for compliance either. Every branch of every company that processes data, including, human resources, legal, marketing, operations, privacy, and security will be responsible for ensuring GDPR compliance is met. In other words, everyone in charge of processing personal data will need training to understand what the GDPR entails and how it affects their role.
3. Audit Your Data
Figure out your data processes. Are they secure? Do employees have access to only necessary data? How is data stored and used? Is data that’s obsolete or redundant held onto or deleted? Have you minimized all potential vulnerabilities? Not only are these good questions to answer, you’ll need to show your work and keep internal records of such processes and procedures in the event of a data breach to prove you were able to best protect the subject data of customers and employees or risk potential steep fines.
4. Augment International Transfers
Organizations not in the EU that process EU data must comply with the GDPR, too. So, if your company in the U.S. deals with the personal data of EU citizens, or sends data to the EU, it must have an approved mechanism for transferring and protecting that data, whether it’s in motion or at rest. Similarly, companies need systems in place to reply to data subject requests. If customers want access to their data, they should be able to download or receive printed copies.
5. Continually Assess Potential Risks
Once you’ve conducted a full risk assessment, implemented new data privacy measures, helped third-party partners comply, and made sure data subjects now know their new data rights such as the right to erasure, right to revoke consent, and all related exceptions (for example, you may refuse the right to erase data for legal reasons), it’s time to repeat each step to guarantee you’re continually compliant.
Besides that, it’s just a matter of implementing best data privacy practices such as encryption and pseudonymization.
For further solutions on how to enforce data compliance protection policies through a single point of control, contact eperi to find out how we can help get your company ready for the GDPR.