Is Your Organization Ready — Or at Risk?
How would you rate your organization’s GDPR readiness? Hanzo CEO and Chairman Kevin Gibson offers five questions every compliance officer should be considering ahead of next May’s deadline for GDPR compliance. Specializing in heavily regulated industries, Hanzo is the world leader in the legally defensible capture, preservation and analysis of web and social content. Herein Kevin provides some concrete guidance on compliance in the face of the data protection regulations.
On May 25, 2018, the European Union (EU) will see a seismic shift in data security practices as the General Data Protection Regulation (GDPR) takes effect. Proactively working toward GDPR compliance before the deadline may be the difference between smooth or choppy waters, as any failure to comply with GDPR exposes organizations to fines of up to €20 million (US $23.5 million) or 4 percent of global revenue — whichever is higher. This is true not only for organizations headquartered in the EU, but also for any entity around the world whose business involves providing goods and services to EU citizens and therefore is privy to their personally identifiable information (PII).
Knowing the answers to five key questions will prove essential to becoming and remaining GDPR compliant and avoiding both fines and potential loss of business.
#1: What personal data is stored?
GDPR covers personal data, and this data will vary by company. It includes names, addresses, telephone numbers and account numbers, as well as email and IP addresses. PII data can be client data, but it can also be employee data. This data can be stored in disparate repositories.
While most organizations are aware of PII that may be stored in their ERP and corporate systems, many aren’t cognizant of the volume of PII that comes into their system via web platforms and software brought to the table by their own employees (“BYOS”). This data needs to be taken into account in preparing for GDPR compliance.
#2: Where does PII and other data reside?
It’s easy for corporations and corporate compliance officers to become tied up in the intricacies of GDPR and forget that we are increasingly moving into a world in which property rights are attached to information. GDPR is a further step in that direction, and accordingly, organizations must decide where individual types of data, including different categories of PII, will be stored and processed — as well as when consent will be required to process or otherwise utilize data, and who must provide that consent. They must then establish and maintain a “map” that clarifies the whereabouts of each type of data and the parameters for handling it.
Wherever it is stored, data should reside only where corporate policy dictates. Employees who are aware of PII or whose job responsibilities involve working with PII must also be made to understand that they cannot share it indiscriminately, and organizations will need to determine which information lies inside and outside the data “fences” they establish.
Case in point: A corporation whose employees leverage a web-based collaborative platform to enhance their productivity must decide whether it’s permissible for others to share a colleague’s telephone number on that platform, or if that phone number belongs inside a more secure fence. Mapping the whereabouts of individual categories of data and procedures for handling and storing it bodes well for corporations in that it constitutes proof that they have made every reasonable effort to protect data that requires protection and to remain GDPR compliant.
#3: What Is our data breach protocol?
The increasing sophistication of hackers and the strong potential for unintentional and intentional mishandling of data by employees make a data breach inevitable for most, if not all companies. Consequently, corporations’ data breach protocols should set forth preventive measures that support GDPR compliance. For example, a corporation that utilizes a flexible, web-based collaborative platform could “bake in” compliance by establishing a protocol that entails archiving the contents of that platform. In the event of a data breach, the archived content would serve as proof that sensitive data is not visible.
Support for compliance might also be achieved by configuring the system to generate alerts when sensitive data that doesn’t belong there, such as PII, appears. Steps to remove the data can then be taken before more serious compliance-related issues arise.
Moreover, in the era of GDPR, effective data breach protocol doesn’t simply prescribe “patching” a data repository where the breach occurred. Rather, it dictates planning for and committing to certain actions aimed at remediation, such as describing the nature and likely consequences of the data breach, along with proposed measures to mitigate its possible adverse effects. Once again, a “map” of data’s whereabouts plays a critical role here; with such a map in hand, corporations should experience no difficulty identifying which data was breached and where the breach occurred. Those that lack the answers to these questions will encounter far more dire consequences, no matter the extent of the data breach.
- Clearly state the company’s information practices — explaining how it operates with regard to data and what it does with each type of data. This should be presented in simple terms, rather than couched in multiple pages of legalese that neither employees nor customers may fully comprehend.
- Note individuals’ right to opt out of sharing their PII for internal use, as well as for use by third-party companies.
- State that individuals may access any of their own PII in the company’s records and have the right to modify or delete this PII, even data that appears on websites.
- Clarify the company’s serious stance on data security, stipulating that it will continue to invest time, effort and financial resources in enforcing data security policies and safeguarding their PII. This includes harnessing high-quality technology tools to protect data.
The framework of the GDPR will likely change and evolve. Corporations must keep an eye on that framework and alter their privacy policies accordingly.
Corporations and compliance officers who underestimate the will of EU authorities to enforce the GDPR regulations do themselves and their organizations a great disservice. Conducting periodic compliance risk assessments is a sound business practice anytime, but assuming a proactive stance now with these questions as a roadmap is a far more prudent approach on the cusp of great change.