In an effort to better protect its citizens’ data, the European Union will be implementing the General Data Protection Regulation – or GDPR – in May of 2018.
While we’re of the mindset that compliance isn’t always equal to security, compliance to the EU GDPR is definitely a step toward better user information privacy. Our advice: start thinking about May 2018 now. Here’s why.
Failure to comply results in more than just a slap on the wrist
First of all, Brexit hasn’t changed anything. You still need to be adhering to GDPR regulations if you’re handling data from the EU. The financial penalties for not doing so will be steep, starting at €10 million – or 2% of global turnover. There can also be multiple fines for different violations, and you might also be held liable for client compensation, whether or not their losses are financial.
We should also mention the fact that the supervisory authorities or judicial system may get in on the action, and that’s definitely not an ideal situation for data storage or processing organisations.
You are the keeper of your client’s data
With great power comes great responsibility. Regardless of the consequences of failing to comply – and regardless of your geographical location – if you’re currently handling client data, or will be in the future, you should ensure that the appropriate safeguards are in place. The GDPR will provide specific guidelines to help you protect your clients’ oh-so-valuable data.
What’s the rush?
It really is best to be preparing right now, because unless you know whether or not you’re already compliant, or know which steps you need to take to achieve compliance, you need to search your organisation for gaps. Having a plan in place to achieve compliance by May 2018 is paramount.
Here are some questions to ask to help you along the way:
1. How will compliance to the EU GDPR affect my business? Make no mistake, the new legislation will affect your business. It’s up to you and your team to understand how, and prepare for any organisational repercussions.
2. Do we currently have an effective risk management strategy? Ensure that you have formal processes and a risk register in place to track any potential risk to your clients’ information. Ensure that these processes include data privacy.
3. How do we currently monitor our clients’ data? Validate any means of monitoring the confidentiality, integrity and privacy of your clients’ data. Also, verify that you have written policies, standards, and processes in place to govern such monitoring.
4. Do we have processes in place to report breaches? Breach detection and reporting is a big part of the GDPR. Compliance means having a system in place to report a breach that may impact the rights and freedoms of your users within 72 hours.
5. Would you say you have achieved privacy by design? Privacy by design is a must to achieve compliance with the GDPR. You must ensure that the privacy of customer/user data is taken into account, and that the technical and organisational measures are in place to bolster said privacy.
6. What does the term “data privacy officer” mean to me? The DPO is a new position that should really be created when working toward compliance with the GDPR. The DPO role may be tacked onto an existing manager’s responsibilities, or you maybe you’ll want a dedicated DPO. You might even hire a third-party DPO to help you with your data privacy needs. Either way, you need to figure out what they will be doing for your organisation – and how you can best build out that role to provide the greatest benefit to you and yours.
While there are only eighteen months until the GDPR comes into play, there’s still time to get organised. If you’re not monitoring your clients’ data you need to plan out how you can implement appropriate measures to do so. You should really start thinking about how you might deal with a data privacy breach, as well. Adding privacy to your risk management strategy – or creating a new strategy around data privacy will also go a long way in your quest for compliance.
We’ve stated before that compliance, while very useful at times, may result in narrowed security scope or unrealistic requirements. It’s also been stated that compliance to the GDPR will be mandatory if you’re storing or processing client data belonging to EU citizens. Since protecting the privacy of our clients’ data should be high on our priority list, doesn’t integrating compliance to the EU GDPR into our overall information security strategy just make sense?
(To download ZoneFox’s EU GDPR activities timeline, click here.)