May 25, 2018 will go down in history as one of the most important days for information security with the implementation of the European Union’s (EU) General Data Protection Regulation (GDPR) legislation.
What is GDPR? It is a global law that manages how personal data of customers must be handled by businesses. However, the law does not only apply to EU businesses. It applies to any business entity, regardless of the location, that deals with EU customers. So even if your business is in the US, Africa or Asia, you are still covered by this legislation as long as you store or process the personal data of people who live in the European Union.
Businesses who do not comply with the GDPR requirements will face hefty fines of up to $24million or 4% of their annual global turnover, whichever is higher.
So what does GDPR mean for you? How can you make your business compliant to the new regulations?
- Assess your organization and determine what needs to be done to improve your information security. Review the requirements of GDPR and analyze the implications of this law relative to your business processes. Make sure that decision makers are aware of what the legislation entails for your business. For some businesses, the changes will impact several departments so the sooner you get everyone on board, the sooner you can sort out the changes that need to be done.
- Conduct an Information Audit. Analyze what personal data you collect, store and process from your customers. You also have to check where this data comes from and to whom you share it with. One of requirements for businesses is to keep a record of the processing activities, as well as the policies and procedures being implemented. If you’re working with an outsourcing partner, you should also be aware of the risks that come with sharing information outside your organization. To make sure your customers’ data is protected, work only with ISO-certified offshoring companies because they have their own information security procedures that meet a defined international standard.
- Update your privacy notices. Your customers should be fully aware of what data you are collecting, how you are going to use that data and who will have access to their data. Your customers should also provide explicit consent – a very clear and specific statement of consent.
- Protect the young. GDPR has very strict guidelines when it comes to dealing with personal data of minors. Check if your system has a way of identifying the ages of your customers and make sure you get parental or guardian consent before processing children’s data.
- How do you handle a data breach? Do you have a detailed game plan in case a data leak happens? Is your plan consistent with the requirements of GDPR? It is time to analyze your contingency plan because it’s better to be prepared than be caught off guard when these things happen.
GDPR is not the enemy. It is simply a tool designed to help protect your customer’s data. The sooner you get your head around the specific details, the sooner you can implement changes within your organization.