US companies: How to meet gdpr in five steps
—What is GDPR?

The General Data Protection Regulation, or GDPR, will overhaul how businesses process and handle data. Coming into effect on May 25, 2018, GDPR will specifically target how businesses and the public sector handle the information of 750 million European citizens. This means any company that holds any data on EU citizens, from personal information such as credit cards numbers to even a simple a photo of the citizen, is subject to GDPR. Although this law exists in the EU, its reach will be global. Businesses not located in the EU could still face penalties and fines if they do not comply with the legislation.  If you are subject to DPA (Data Protection Act), it is likely that you are subject to GDPR. The EU is serious about protecting the data of its citizens. Just for having a security breach your business could be fined, and the penalties are substantial. Fines can be upwards of €10 million or two percent of a firm’s revenue. For violations that are more serious penalties can reach €20 million or four percent of a firm’s revenue. However it is important to note that Elizabeth Denham, the Information Commissioner, stated she “prefer[s] the carrot to the stick [and] while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective.” In the following sections, we will outline some of the steps necessary to comply with GDPR as well as how you can use this regulation as an opportunity to grow and enhance your organization using it to increase your profits instead of becoming an additional expense for your organization.

“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective,”
—Next Steps

You must determine what EU data your business possesses, where and how it’s retained, and set legally defensible policies for how that data will be collected, managed, and destroyed. Applying this procedure in practice will not happen overnight. For starters, your organization may have large amounts of structured and unstructured data, which may reside on numerous devices that could include everything – production servers, cloud applications, on and off premise backups, even staff members’ mobile devices. It is important to cast your net wide as you develop your strategy for classifying GDPR data. It also helps to approach GDPR as a risk management exercise. Uncovering where the largest gaps are in your security profile should be your first objective in coming to terms with GDPR. You may also be required to appoint a Data Protection Officer (DPO) who must be involved in all issues relating to data protection. Appointing a DPO is a risky procedure, as it requires a deep level of research and trust. Using a well esablished and trusted business in appointing a DPO is reccomended. It can also save your energy in trying to implement GDPR, by engaging a DPO you will essentially save the trouble of having to micro manage every aspect of the task at hand. There are some businesses (including MDS) that offer DPO services.

—01 Find Your Data

Where does your data live, and how is it relevant in terms of GDPR? The data that falls under GDPR could live in multiple environments inside your organization. Structured data, such as data in excel documents and accounting or CRM systems, is easily searchable and easier to protect. However, it is imperative that you find all the unstructured data that lives in your environment such as email, files, SharePoint, instant messaging, and find a mechanism of data analysis to monitor and protect the data that is subject to GDPR. This will require your company to perform a Privacy Impact Assessment (PIA). The organization and classification of this data can also become an added asset to your organization, as it can provide further analytics and allow for you to “mine and refine” this raw data, providing further insights to your organization and using this data to your advantage. The rules of GDPR might also provide an opportunity to implement analytics. By cleaning and reorganizing your company’s data, you then have the ability to provide new insights into your operations, and from there you can innovate and automate costly processes.

Take an online GDPR assessment

—02 Take Action

Once this data has been discovered, action can be taken. The initial step should be to reduce the workload. Redundant, obsolete, and trivial data (ROT) should be deleted. This will cut associated storage costs and liabilities. About 70 percent of data held by enterprises is ROT.  The next step would be to sort through the remaining data and classify what falls under the purview of GDPR. GDPR could essentially save your business money by restructuring and reducing current data repositories, as well as migrating to more efficient information management systems. GDPR can be utilized to your advantage as an opportunity to clean out the clutter in your data closet and securely reorganize your existing infrastructure. The rules of GDPR might also provide an opportunity to benefit from business intelligence and analytics. Cleaning, reorganizing, and viewing your company’s data, allows the ability to provide new insights into your operations, and from that, you can innovate and automate costly processes. Data has been compared to functioning like oil, with analytics being a combustion engine, yet it is so much more. Data is an unlimited resource that is exponentially growing. To use GDPR as an opportunity to start your mining process will help grow your business in ways you never imagined.

—03 Apply Policies

Once you have identified and categorized GDPR data, you can decide how to handle the information you hold about individuals, as well as the information that you continue to collect. You want to consider how you collect information on individuals, how long you store it, where you store it, and how you can dispose of it. For instance, GDPR states that customers “have a right to be forgotten” and organizations should be able to remove all of a person’s data within 24 hours. This includes data that exists on backups, so a seemingly simple task becomes all the more complicated. This includes data held by third-parties, where many US companies will have to comply if they want to continue to work with their European partners. There are a vast number of applications and processes that can be implemented and designed to help regulate these policies. On the positive side, this also opens the door for automation. Tasks that might have taken hours of manual labor, such as collecting information from a customer can now be automated and completed by a program or application, thus saving your workers time to focus on new tasks. There are a plethora of tools that allow for the collecting and handling of this information in a safe and secure method. Feel free to speak to a member of our team for assistance in discerning which applications best fit your organization’s needs.

Speak to a GDPR expert today

—04 Secure Your Data

Ultimately, GDPR is designed to protect every EU citizen’s personal data. This is where you want to ensure your cyber security practice positioning for success. With the increasing ransomware attacks and data breach leaks, cyber security has never been more important than it is now. Best practices for ransomware prevention include data backup, early protection, preventative monitoring, web/spam filters, CASB, and employee awareness training. With a potential fine for a security breach being up to 4 percent of your revenue, an investment in security policies could quickly pay for themselves many times over. In addition, when choosing a backup, you must also take into account there are dozens of back-up companies with hundreds of possible configurations. Just having a backup is no longer sufficient. We have seen instances where backups become compromised, either via negligence or from improper configuration. The same goes for endpoint security, updates, and employee training. Just buying a license for a product or having a training session for your employees is no longer adequate. Attacks are continually getting stronger, which means your security must be constantly monitored to stay protected and insulated from ever evolving threats.

—05 Provide Reporting

The final step to ensure your GRPR compliance is to be able to document and report the details that we have outlined. It is vital to show regulators that your organization is taking all steps necessary to meet the new requirements. These policies can take years to implement and it is rather unlikely that large organizations can meet the May 2018 deadline. That said, if you are able to demonstrate and specify the steps you are taking to meet GDPR, it will put you in a stronger position to withstand scrutiny from regulators. Elizabeth Denham, the UK’s Information Commissioner, who is in charge of data protection enforcement, stated that her office will be more lenient on companies that have shown awareness of the GDPR and endeavored to implement it, when compared to those that haven’t made any effort. There are a number of reporting and analysis tools available to reveal your gaps and identify where you fall short of any specific compliance point. Make sure you do your research when choosing the right one. Every organization is different and oft requires a variety of tools in your portfolio. Please do feel free to utilize our guidance when selecting the appropriate reporting tool for your enterprise.

Reach out to an MDS expert now and we will get back to you shortly!