At this point, many of you have likely heard of The General Data Protection Regulations (GDPR) – regulations created to protect data and privacy for all individuals within the European Union. The regulations, though created two years ago, went into effect as of May 25, 2018. However, many companies are not yet fully compliant.
Europe is no stranger to privacy laws. EU-based companies have been subject to similar laws since the 1990s, but this new legislation enforces cross-border privacy rules. This means that any company that provides goods or services, data processing and/or marketing activities to persons in the EU – many of which are based in the U.S. – are subject to compliance.
It’s important for U.S. companies to fully understand these regulations, how they apply to their businesses and what needs to be done in order to comply. Here are a few steps to get started:
1. Applicability assessment: First things first, find out how this applies to your business. Do any of your operations cross over into Europe? Do you offer any products or services with the intent to sell to parties in the EU? Do you have a web presence in the EU? An applicability assessment is typically something that is done with legal counsel, but a good starting point is to check out the International Association of Privacy Professionals (IAPP) website for guidelines on applicability.
2. Gap analysis: Look at the environment in which your business operates and gain an understanding of the data that is being collected. Covered Data includes any kind of personally identifiable information. This is everything from an IP address to a name. What kind of data do you collect and what do you use it for? Once you’ve completed the data discovery phase, think about what information you’ve collected as a result. Lastly, identify the gaps in how you’re performing currently as compared to what is dictated by the regulations.
3. Remediation road map: Once the gaps have been identified, create a remediation plan to address them. For example, if you’ve collected Covered Data from an individual that has approved of the collection, you still need to ensure that his or her data is adequately protected. Is it in a file-share drive that is protected? Is the data protected while in transit? Who has access to the data? Create a plan and timeline for how your business is going to address all of these gaps.
4. Reporting and monitoring: In certain instances, GDPR requires that companies appoint a Data Protection Officer (DPO) to ensure compliance with the regulations. How is your business going to provide continued support for your DPO? For example, for a U.S.-based company, there are instances where a data breach has to be reported within 72 hours. Your business needs to have a plan in place to be compliant with this ruling as well as others related to reporting and monitoring. If your business is not equipped to do this in house, line up outsourced professionals who can help.
Complying with GDPR is not an overnight task, but in today’s environment, designing a robust IT security plan is of pivotal importance. If you have any questions about GDPR, feel free to contact email@example.com or firstname.lastname@example.org.