27 Feb Best practices for ensuring GDPR compliance
If they haven’t done so already, businesses inside and outside of the European Union must ensure they comply with the newly established General Data Protection Regulation (GDPR). Approved by the European Parliament in April 2016, the new standards included in the regulation take effect May 25, 2018, and now is the time for companies to shore up their compliance.
How will my company be impacted?
The GDPR puts in place several new guidelines and processes for ensuring the privacy and security of personal data belonging to EU citizens. However, even organizations that don’t have locations in the EU will be affected. For example, if an EU citizen travels to the U.S. and pays for goods or services with a U.S.-based business or even if an EU citizen makes an online purchase from a U.S.-based e-commerce site, that company must ensure their practices are in line with the laws of the GDPR.
Any company found to be non-compliant can be fined as much as 4 percent of their annual global turnover, or €20 million (just over $20 million), whichever is greater. In this way, it’s not only in a business’s best interest to comply in an effort to avoid fines but to improve their security and privacy across the board.
Best practices for compliance
The GDPR puts new standards into place, including elements like breach notification, right to data access, the right to be forgotten, and more. Additional information on data subject rights under GDPR can be found here.
In order to better ensure your firm’s compliance, there are a few key steps and processes to integrate, including:
- Creating a data protection plan: As CSO senior editor Michael Nadeau pointed out, many organizations likely already have a data protection plan in place that spans all the systems and processes the company uses to safeguard its sensitive data. In this way, much of the work here will be centered around updating this policy to make sure that it aligns with the new GDPR rules. Items to consider with internal data protection plans include incorporating data portability, data erasure abilities and the role of the data protection officer.
- Conducting a risk assessment: It’s also imperative that the enterprise carry out a risk assessment of its current data and related systems and processes to better understand any gaps in security connected to personally identifiable information. Nadeau noted that some of the things commonly overlooked here encompass shadow IT and smaller point solutions – businesses that ignore these do so “at [their] own peril.” However, a risk assessment can help organizations prioritize their compliance efforts.
“As a first course of action, organizations must get a full picture of their entire IT infrastructure and inventory all appliances in their estates,” said Matt Fisher, Snow Software senior vice president. “This, coupled with specific insight about which applications can process personal data, dramatically minimizes the scope of the project as well as the time spent on it. Suddenly, the impossible becomes possible.”
- Ensuring ongoing assessments: Compliance isn’t a one-and-done effort. Businesses must continually monitor and improve their efforts according to GDPR and other standards, requiring subsequent assessments.
To find out more about preparing for the GDPR – including risk assessments and data protection plans, in particular – connect with the experts at Pinnacle today.