The European General Data Protection Regulation (GDPR) is coming. It is the first re-write of European data protection law in 20 years and will address the reality of living and working in a data-driven, inter-connected world where cloud services dominate.
The GDPR will impact how organizations gather, process and store personal data, which is any private, professional or public information about an individual. This could be a name, email address, photo, correspondence, medical record or bank details. It will affect any business operating from, doing business within, or storing its data in the EU.
The penalties for non-compliance will be harsh. Exact terms are being debated but it could be up to 5% of worldwide turnover. In other words, non-compliance is not an option.
Organizations should not underestimate the burden of this legislation. It will require potentially deep-rooted policy changes. So what changes do businesses need to make to meet the new rules?
Data Protection Officer
The GDPR is likely to insist a data protection officer (DPO) is appointed for businesses with less than 250 employees if they work with over 5000 personal data records in a year. Separating out the role shows a commitment to customer data and should ensure future compliance challenges are handled more easily.
For small businesses, outsourcing this function may well be the best option, always bearing in mind that someone within the organization will still need to oversee and ensure compliance.
Reality Check
Where does your organization sit currently on the compliance scale? Look at existing policies, procedures and solutions for handling data. If your organization uses third parties such as cloud service providers to hold data, all existing contracts need to be reviewed. If you don’t know already, you need to find out how cloud data is hosted, backed up and encrypted. Ultimately, even if a company outsources the data handling aspect to another, they never outsource the responsibility to protect that data.
Ask service providers to show what steps they are taking in relation to the GDPR, or you could find your compliance plans scuppered.
You Are Not Alone
It may feel like each organization is working in isolation to assimilate a lot of new rules, but in reality, a range of tools has been developed to help with the planning.
One valuable resource, for instance, comes from The Association for Information and Image Management (AIIM). The changes ahead for businesses are set out in the report, Making Sense of European Data Protection Regulations. There are 11 key areas outlined ranging from gaining consent to collect data to fully documenting any breach.
Decide What Needs to Be Done
Armed with an understanding of compliance, the DPO should now formulate a plan. For many organizations, this needs to include employee education and training.
All departments need to be on board with the changes. Providing context helps employees understand the importance. The GDPR affects us all and will help protect our identity and privacy. From the perspective of the consumer, it hands back control of one’s digital self. For businesses, there is an opportunity to excel and improve customer service.
"The GDPR affects us all and will help protect our identity and privacy"
Do It!
All policies concerned with data need to be updated. Therefore all departments that ‘touch’ data will need to be involved: IT, legal, operations, HR, finance and sales. Everyone involved should understand the privacy aspects of the GDPR and the rights of anyone the company holds data on.
For instance, an organization needs to be able to provide a copy of all personal data that is held about a person in a format that can be easily transmitted electronically. Organizations also need to be able to delete all customer data on request as part of the ‘right to be forgotten’.
The Reward
Procedures and policies updated, staff trained, service providers checked… time to apply for the EU Data Protection Seal, which lasts for five years and certifies that processes are compliant with the regulation.
About the Author
Alessandro Porro joined Ipswitch in 2004, shortly thereafter becoming director of sales for Asia Pacific and Latin America, increasing revenues from those regions. He was later promoted to oversee the division’s entire international interests and profitability. Alessandro attended Boston University's BA/MA program in international economics.