Our view on the GDPR (General Data Protection Regulation)
This post will lead you through the new EU regulations about storing personal data in your company servers.
These regulations are no less than a revolution in the way countries refer to their citizen's personal data and to companies ability to store and use it for their needs.
For years companies could have done everything with this data: track people, target people using it, buy or sell this data and so on. This situation is going to be changed.
This article will explain to you how and what you should do in order to face those winds of change.
The GDPR started taking place in the EU on May 25th, 2018.
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for fields like name, address and Social Security number.
The GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance.
Companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request.
The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor, and the data protection officer (DPO).
The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance.
WHAT SHOULD MY COMPANY BE DOING ACCORDING TO THE GDPR?
- Set a sense of urgency that comes from top management: Risk management company Marsh stresses the importance of executive leadership in prioritizing cyber preparedness. Compliance with global data hygiene standards is part of that preparedness.
- Involve all the stakeholders. IT alone is ill-prepared to meet GDPR requirements. Start a task force that includes marketing, finance, sales, operations—any group within the organization that collects, analyzes, or otherwise makes use of customers’ PII. With representation on a GDPR task force, they can better share information that will be useful to those implementing the technical and procedural changes needed, and they will be better prepared to deal with any impact on their teams.
- Hire or appoint a DPO: The GDPR does not say whether the DPO needs to be a discrete position, so presumably, a company may name someone who already has a similar role to the position as long as that person can ensure the protection of PII with no conflict of interest. Otherwise, you will need to hire a DPO. Depending on the organization, that DPO might not need to be full-time. In that case, a virtual DPO is an option. GDPR rules allow a DPO to work for multiple organizations, so a virtual DPO would be a consultant who works as needed.
- Create a data protection plan: Most companies already have a plan in place, but they will need to review and update it to ensure that it aligns with GDPR requirements.
- Conduct a risk assessment: You want to know what data you store and process on EU citizens and understand the risks around it. Remember, the risk assessment must also outline measures taken to mitigate that risk. A key element of this assessment will be to uncover all shadow IT that might be collecting and storing PII.
- Implement measures to mitigate risk: Once you’ve identified the risks and how to mitigate them, you must put those measures into place. For most companies, that means revising existing risk mitigation measures.
- If your organization is small, ask for help if needed. Smaller companies will be affected by GDPR, some more significantly than others. They may not have the resources needed to meet the requirements. Outside resources are available to provide advice and technical experts to help them through the process and minimize internal disruption.
- Test incidence response plans: The GDPR requires that companies report breaches within 72 hours. How well the response teams minimize, the damage will directly affect the company’s risk of fines for the breach. Make sure you can adequately report and respond within the period.
- Set up a process for ongoing assessment: You want to ensure that you remain in compliance, and that will require monitoring and continuous improvement.
Ronen Wasserman and the ROM Team