The clock is ticking on the European Union’s new privacy law, the General Data Protection Regulation (GDPR). We’re less than one year away from when the GDPR comes into force, May 25, 2018. This new regulation imposes sweeping privacy protection requirements on any entities that oversee personal data operations or process personal data in the EU. This has the potential to impact companies on an international scale. The new requirements come hand-in-hand with a set of stiff penalties for non-compliance, including punishing fines that can soar to € 20 million or 4% of a company’s annual gross revenue.
Unfortunately, many US companies with operations or personal data processing in Europe remain ill-prepared for full compliance. A recent survey of large US companies revealed that although 94% retain personally identifiable information on EU citizens, as many as 40% have no plan for GDPR compliance. As the deadline approaches, the pressure felt by compliance and IT professionals, records managers, and CIOs at these companies is sure to increase.
Readying your company for compliance with the GDPR is a significant undertaking that requires substantial time and resources. But while the time remaining for preparation is dwindling, it is still not too late. If your company hasn’t formed a plan or taken concrete measures to comply, consider taking the following modest steps to begin preparing your organization for the GDPR:
- Determine the scope of personal data operations: The first step to creating a proactive plan is to determine which of your enterprise’s activities affect the personal data of EU persons. Assess where and how your company interacts with EU persons during business operations. Then, determine the extent of the data they might share. Many companies that offer online services don’t know that even an IP address may be personal data protected under the GDPR.
- Map your data: You can’t protect personal data if you don’t know where it is. Work with your IT professionals to conduct a survey of all data that resides on your systems. This will allow you to determine which data needs protection and where that data is located. Consider whether you’ll need to relocate some of your data within the EU by opening a data center or by using a database provider who can identify and separate EU and non-EU data.
- Investigate business partners and renegotiate contracts: The GDPR requires data controllers and processors to conduct due diligence when they allow a third party to access or handle data. Independent contractors, vendors, and other third-party entities with whom you share data are sources of risk. New service contracts should include provisions that require them to protect personal data and comply with the GDPR. You should also renegotiate existing contracts.
- Marshal IT resources: Security measures for software and systems are essential to protect personal data. The GDPR requires companies to take reasonable and proportionate measures to safeguard data from loss, destruction, or unauthorized access. Audit your current security framework and system redundancies and look for gaps. Determine where you can easily implement access controls, encryption, and other fortifications to your system security.
- Appoint a data protection officer: The GDPR mandates that public companies designate a data protection officer, but even companies not required should consider appointing one. With a professional trained in privacy and IT security empowered with the authority to oversee data protection across the company, you can improve the speed and effectiveness of your compliance and data governance. As a first step, this person can work with your legal counsel to determine which EU government supervisory authority you will need to report to once the GDPR is in effect.
The looming GDPR deadline might cause understandable anxiety for those responsible for implementing it. Although the requirements seem daunting, you can adopt an incremental approach to compliance that begins with taking concrete steps today. The result will be significant progress to help you advance along the path to achieving compliance and minimizing the risk of sanctions or penalties.
Author: Frank Fazzio, Records Analyst at Zasio Enterprises, Inc.