What Compliance Should Be Doing Now
CCI has covered the General Data Protection Regulation (GDPR) extensively, and by now most readers may know that the deadline for GDPR compliance is barreling toward us. Kevin Gibson walks us through what businesses must do to prepare.
May 25, 2018, the day on which the General Data Protection Regulation (GDPR) takes effect, is fast approaching. Some firms have been proactively working toward GDPR compliance, which is wise given that failure to do so exposes organizations to fines of up to €20 million (US $23.5 million) or 4 percent of global revenue — whichever is higher. However, it appears that a majority of firms whose business requires them to comply with GDPR have yet to do so and are instead waiting to take action until just before the deadline or worse, after it passes. Such procrastination is ill advised. The GDPR compliance countdown, as outlined here, should start now.
4… Get motivated by understanding the consequences of waiting to address GDPR preparations.
The GDPR is designed to safeguard the privacy and security of personally identifiable information (PII) belonging to citizens of the European Union (EU). If previous efforts to enforce regulations are any indication, European authorities will immediately impose penalties on any company that is found to be in violation of the new rule. Pandemonium will ensue when this occurs, with a long queue of other EU citizens initiating their own attempts to recover damages for noncompliance.
The longer this queue becomes, the greater the number of organizations that will simultaneously scramble for resources to assist them in navigating the road to GDPR compliance and overcoming any obstacles they encounter. As more companies reach out for these resources, organizations’ difficulty in engaging the right services will increase. Additionally, as the shortage of competent GDPR-compliance resources increases in scope, so too will the price of their services.
3… Develop a GDPR compliance plan.
The GDPR clearly specifies how organizations that maintain and/or process PII must handle that data. This includes everything from requirements for storing and safeguarding the security of customer and employee PII to responding to requests that PII be deleted from companies’ records. It also encompasses documenting and furnishing proof that companies have followed through on requests for PII deletion and that the data no longer resides on a particular system or system. And that is just the beginning.
Companies must formulate a plan stipulating their intended method of satisfying all requirements set down under the GDPR. For instance, what measures will they take to ensure that customers’ PII is never exposed on their website? How will they respond to employee requests for PII erasure? How will they know where particular data resides? Who will be accountable for ensuring that PII that should not be exposed is not exposed? Who will be responsible for GDPR compliance as a whole? Without such a plan, organizations will find themselves frantically improvising as they go along — and quite possibly, making decisions or taking actions that could have financial or other repercussions.
2… Locate and engage appropriate resources.
Small organizations (i.e., those with just a few individuals on their payroll and a limited number of EU citizens on their customer roster) will likely not require as much assistance in attaining GDPR compliance as their larger counterparts. However, as stated above, all companies will need some help with GDPR preparations, whether in implementing the proper tools and utilities for identifying, controlling, analyzing and acting on web, social and collaborative content or in deploying technology that performs audit trails around GDPR compliance.
No matter their size, companies should, when choosing from among resources, limit their selection to those whose capabilities support all aspects of GDPR compliance. Organizations with multiple data repositories and operations in various geographic locations should be certain to engage only those resources that can provide a solution for finding the same data in more than one system, so that if it must be erased, it is erased from all systems rather than just one. All companies should also ensure that their resources offer tools that make the whereabouts of all data in the PII category — structured data, unstructured data and web data — easily evident, whether it resides in an ERP or corporate system, on a web platform or even in employee-owned software.
1… Assess compliance levels.
By early May, at the very latest, companies should be at a stage where they are performing dummy tests to assess their degree of GDPR compliance and making any necessary adjustments before the rush. Such assessments should look at the process of responding to different GDPR-related requests — for example, an employee’s request to be furnished with information about what the organization does with his PII or for that data to be expunged from the company’s records. Also worth including are spot checks of various data repositories to make certain that PII is not exposed and accessible when it should have been placed behind a firewall.
Blastoff.
Admittedly, not all companies will be entirely positioned for GDPR by the coming deadline in May. However, the closer to the countdown they can come, the smoother the sailing for all parties concerned.