Sunday, December 8, 2019
Corporate Compliance Insights
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

5 Questions Compliance Should Be Asking About GDPR

by Kevin Gibson
August 28, 2017
in Data Privacy, Featured
man working on virtual screen reading personal data protection

Is Your Organization Ready — Or at Risk?

How would you rate your organization’s GDPR readiness? Hanzo CEO and Chairman Kevin Gibson offers five questions every compliance officer should be considering ahead of next May’s deadline for GDPR compliance. Specializing in heavily regulated industries, Hanzo is the world leader in the legally defensible capture, preservation and analysis of web and social content. Herein Kevin provides some concrete guidance on compliance in the face of the data protection regulations.

On May 25, 2018, the European Union (EU) will see a seismic shift in data security practices as the General Data Protection Regulation (GDPR) takes effect. Proactively working toward GDPR compliance before the deadline may be the difference between smooth or choppy waters, as any failure to comply with GDPR exposes organizations to fines of up to €20 million (US $23.5 million) or 4 percent of global revenue — whichever is higher. This is true not only for organizations headquartered in the EU, but also for any entity around the world whose business involves providing goods and services to EU citizens and therefore is privy to their personally identifiable information (PII).

Knowing the answers to five key questions will prove essential to becoming and remaining GDPR compliant and avoiding both fines and potential loss of business.

#1: What personal data is stored?

GDPR covers personal data, and this data will vary by company. It includes names, addresses, telephone numbers and account numbers, as well as email and IP addresses. PII data can be client data, but it can also be employee data. This data can be stored in disparate repositories.

While most organizations are aware of PII that may be stored in their ERP and corporate systems, many aren’t cognizant of the volume of PII that comes into their system via web platforms and software brought to the table by their own employees (“BYOS”). This data needs to be taken into account in preparing for GDPR compliance.

#2: Where does PII and other data reside?

It’s easy for corporations and corporate compliance officers to become tied up in the intricacies of GDPR and forget that we are increasingly moving into a world in which property rights are attached to information. GDPR is a further step in that direction, and accordingly, organizations must decide where individual types of data, including different categories of PII, will be stored and processed — as well as when consent will be required to process or otherwise utilize data, and who must provide that consent. They must then establish and maintain a “map” that clarifies the whereabouts of each type of data and the parameters for handling it.

Wherever it is stored, data should reside only where corporate policy dictates. Employees who are aware of PII or whose job responsibilities involve working with PII must also be made to understand that they cannot share it indiscriminately, and organizations will need to determine which information lies inside and outside the data “fences” they establish.

Case in point: A corporation whose employees leverage a web-based collaborative platform to enhance their productivity must decide whether it’s permissible for others to share a colleague’s telephone number on that platform, or if that phone number belongs inside a more secure fence. Mapping the whereabouts of individual categories of data and procedures for handling and storing it bodes well for corporations in that it constitutes proof that they have made every reasonable effort to protect data that requires protection and to remain GDPR compliant.

#3: What Is our data breach protocol?

The increasing sophistication of hackers and the strong potential for unintentional and intentional mishandling of data by employees make a data breach inevitable for most, if not all companies. Consequently, corporations’ data breach protocols should set forth preventive measures that support GDPR compliance. For example, a corporation that utilizes a flexible, web-based collaborative platform could “bake in” compliance by establishing a protocol that entails archiving the contents of that platform. In the event of a data breach, the archived content would serve as proof that sensitive data is not visible.

Support for compliance might also be achieved by configuring the system to generate alerts when sensitive data that doesn’t belong there, such as PII, appears. Steps to remove the data can then be taken before more serious compliance-related issues arise.

Moreover, in the era of GDPR, effective data breach protocol doesn’t simply prescribe “patching” a data repository where the breach occurred. Rather, it dictates planning for and committing to certain actions aimed at remediation, such as describing the nature and likely consequences of the data breach, along with proposed measures to mitigate its possible adverse effects. Once again, a “map” of data’s whereabouts plays a critical role here; with such a map in hand, corporations should experience no difficulty identifying which data was breached and where the breach occurred. Those that lack the answers to these questions will encounter far more dire consequences, no matter the extent of the data breach.

#4: Do we have a data privacy policy, and what are its components?

A data privacy policy is an imperative for corporations in light of GDPR and the fact that property rights apply to PII under the GDPR umbrella. Employees must know the boundaries of acceptable behavior when it comes to handling data, and customers want and need to understand exactly what an entity will do to protect their PII.

Every data privacy policy should:

  • Clearly state the company’s information practices — explaining how it operates with regard to data and what it does with each type of data. This should be presented in simple terms, rather than couched in multiple pages of legalese that neither employees nor customers may fully comprehend.
  • Note individuals’ right to opt out of sharing their PII for internal use, as well as for use by third-party companies.
  • State that individuals may access any of their own PII in the company’s records and have the right to modify or delete this PII, even data that appears on websites.
  • Clarify the company’s serious stance on data security, stipulating that it will continue to invest time, effort and financial resources in enforcing data security policies and safeguarding their PII. This includes harnessing high-quality technology tools to protect data.

#5: Is our privacy policy up to date?

The framework of the GDPR will likely change and evolve. Corporations must keep an eye on that framework and alter their privacy policies accordingly.

Corporations and compliance officers who underestimate the will of EU authorities to enforce the GDPR regulations do themselves and their organizations a great disservice. Conducting periodic compliance risk assessments is a sound business practice anytime, but assuming a proactive stance now with these questions as a roadmap is a far more prudent approach on the cusp of great change.


Tags: data breachGDPR
Previous Post

Thriving in the GRC Trenches

Next Post

Consistency: The Antithesis of the One-Hit Wonder

Kevin Gibson

Kevin Gibson is CEO & Chairman of Hanzo. Hanzo provides legally defensible collection, preservation and analysis of web and social media content for Global 2000 companies in the cloud, on premise or on demand.

Related Posts

man holds prohibited symbol above wooden block letters spelling fraud

The Pros Who Are Key to Fighting Corporate Fraud

December 6, 2019
blue corporate culture puzzle being assembled by multiple hands

Managing Organizational Culture as an Enterprise Asset

December 5, 2019
job candidates awaiting inerview

An Unconventional Interview Question: “Do You Have an HR Department?”

December 5, 2019
closeup of magnifying glass on gray background

DiCianni’s Idea: How It All Got Started

December 4, 2019
Next Post
apple store in New York City

Consistency: The Antithesis of the One-Hit Wonder

Free Downloads

OFAC whitepaper cover
Compliance Job Interview Q&A
Reputation Risk Management Research

RSS SEC Litigation News

  • Iconix Brand Group, Inc., Neil R. Cole and Seth Horowitz December 5, 2019
    SEC Charges Iconix Brand Group and Former Top Executives with Accounting Fraud
  • Lester Burroughs December 5, 2019
    SEC Charges Connecticut Man with Defrauding Retail Investors
  • SBB Research Group LLC, et al. December 4, 2019
    SEC Charges Hedge Fund Adviser and Top Executives with Fraud

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks Big Data blockchain board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management corporate culture corporate governance culture of ethics cyber risk data analytics data breach data governance decision-making Dodd-Frank DOJ due diligence fcpa enforcement actions GDPR GRC HIPAA information security internal audit internet of things (IoT) KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • Audit
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • HR Compliance
  • Leadership and Career
  • News
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights