GDPR: A How to Guide for US Companies
—What is GDPR?
The General Data Protection Regulation, or GDPR, will overhaul how businesses process and handle data. Coming into effect on May 25, 2018, GDPR will specifically target how businesses and the public sector handle the information of 750 million European citizens. This means any company that holds any data on EU citizens, from personal information such as credit cards numbers to even simply a photo of the citizen, is subject to GDPR. Although this law exists in the EU, its reach will be global. Businesses not located in the EU could still face penalties and fines if they do not comply with the legislation. If you are subject to DPA (Data Protection Act), it is likely that you are subject to GDPR. The EU is serious about protecting the data of its citizens. Just for having a security breach your business could be fined, and the penalties are substantial. Fines can be upwards of €10 million or two percent of a firm’s revenue, and more serious violations can have fines up to €20 million or up to four percent of a firm’s revenue. However it is important to note that, Elizabeth Denham, the Information Commissioner In the following sections, stated she “prefer[s] the carrot to the stick [and] While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective,” In the following sections, we will outline some of the steps necessary to comply with GDPR as well as how you can use this regulation as an opportunity to grow and enhance your organization and use it to increase your profits instead of becoming an additional expense for your organization.
“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective,”
You must figure out what EU data your business possesses, where and how it’s held, and set legally defensible policies for how that data will be collected, managed, and destroyed. Applying this procedure in practice won’t happen overnight. For starters, your organization may have large amounts of structured and unstructured data, which may reside on numerous devices that could include everything–from production servers, cloud applications, on and off premise backups, or even staff members’ mobile devices. It is important to cast your net wide as you develop your strategy for classifying GDPR data. It also helps to approach GDPR as a risk management exeercise. Uncovering where the largest gaps in your security lie should be your first objective in coming to terms with GDPR. You may also be required to appoint a Data Protection Officer (DPO) who must be involved in all issues relating to data protection. Appointing a DPO is a risky procedure, it requires a deep level of research and trust. Using a well esablished and trusted business in appointing a DPO is reccomended. It can also save your energy in trying to implement GDPR, by getting a DPO you will essentially save the trouble of having to micro manage every aspect of the task at hand. There are some businesses including MDSNY that offer DPO services.
—01 Find Your Data
Where does your data live, and how is it relevant in terms of GDPR? The data that falls under GDPR could live in multiple environments inside your organization. Structured data, such as data in excel documents and accounting or CRM systems is easily searchable and easier to protect. However, it is imperative that you find all the unstructured data that lives in your environment such as email, files, SharePoint, instant messaging and find a mechanism of data analysis to monitor and protect this data that applies to GDPR. This will require your company to perform a Privacy Impact Assessment (PIA). The organization and classification of this data can also become an added asset to your organization, as it can provide further analytics and allow for you to “mine and refine” this raw data providing further insights to your organization using this data to your advantage. (Data to the people quote) The rules of GDPR might also provide an opportuity to implement analytics. By cleaning and reorganizing your companies data, you enable the ability to provide new insights into your operations, and from that you can innovate and automate costly processes.
—02 Take Action
Once you find this data, you can begin to take action. The first step should be to reduce the your workload. You should delete redundant, obsolete, and trivial data (ROT). This will cut associated storage costs and liabilities. About 70 percent of data held by enterprises is ROT. The next step would be to sort through the remaining data and classify which is relevant to GDPR. GDPR could essentially save your business money by restructuring and reducing current data repositories as well as migrating to more efficient information management systems. You can use GDPR to your advantage as an opportunity to clean out the clutter in your data closet and securely reorganize your existing infrastructure. The rules of GDPR might also provide an opportunity to benefit from business intelligence and analytics. By cleaning, reorganizing, and viewing your companies data, you enable the ablitiy to provide new insights into your operations, and from that you can innovate and automate costly processes. Data has been compaired to being like oil, with analytics being a combustion engine, yet it is so much more. Data is an unlimitied resource that is exponentially growing. To use GDPR as an oppertunity to start your mining process will help grow your business in ways you never imagined.
—03 Apply Policies
Once you identified and categorized GDPR data, you can decide how to handle the information you hold about individuals as well as the information you continue to collect. You want to consider how you collect information on individuals, how long you store it, where you store it, and how you can dispose of it. For instance, GDPR states that customers “have a right to be forgotten” and organizations should be able to remove all of a persons data within 24 hours. This includes data that exists on backups, so a seemingly simple task becomes all the more complicated. This includes data held by third-parties where many US companies will have to comply if they want to continue to work with their European partners. There are a vast number of applications and processes that can be implemented and designed to help regulate these policies. On the positive side, this also opens the door for automation. Tasks that might have taken hours of manual labor, such as collecting information from a customer, could now be automated and completed by a program or application, thus saving you workers time to focus on new tasks. There are endless tools that allow for the collecting and handling of this information in a safe and secure way. Feel free to speak to a member of our team to help in discerning which applications best fit your organizations needs.
Learn Everything You Need to Know About GDPR
—04 Secure Your Data
Ultimately, GDPR is designed to protect every EU citizens personal data. This is where you want to ensure your cyber security practice positioning for success. With the increasing ransomware attacks and data breach leaks, cyber security has never been more important than it is now. Best practices for ransomware prevention include data backup, early protection, preventative monitoring, web/spam filters, CASB, and employee awareness training. With a potential fine for a security breach being up to 4 percent of your revenue, an investment in security policies could quickly pay for themselves many times over. Also when choosing a back up, you must also take into account there are dozens of back-up compannies with hundreds of possible configurations. Just haveing a back up is not sufficent anymore. We have seen instances where backups become compramised either via neglagence or from improper configuration. Same goes for endpoint security, updates, and employee training. Just buying a lisence for a product or having a training for your employees is no longer effiecent. Attacks are constantly getting stronger which means your security has to be constantly monitored to stay protecting for the evolving threats.
—05 Provide Reporting
The final step to ensure your GRPR compliance is to be able to document and report these details discussed. It is vital to show regulators that your organization is taking all steps necessary to meet the new requirements. These policies can take years to implement, and it is unlikely that large organizations can meet the May 2018 deadline, however if you are able to demonstate and specify the steps you are taking to meet GDPR it will put you in a better position to withstand scrutiny from regulators. Elizabeth Denham, the UK’s information commissioner, who is in charge of data protection enforcement stated that her office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort. There are a number of reporting, and analysis tools avalible to show your holes and where you fall under any particular compliance. Make sure you do your research when choosing the right one. Every organizaion is different and requires a variety of tools. Feel free to utilize our guidance when selecting the a reporting tool for your businesss.