You’ve probably seen the “privacy change notices” flooding your email lately as a result of GDPR, and your team is probably getting your own organization’s emails ready to go out if they haven’t already. The General Data Protection Regulation (GDPR) takes effect this Friday, May 25, but according to a survey by ISACA, a group focused on IT governance, only 29 percent of companies will be fully compliant by then. Are you one of them? If not, here’s what you need to know.
Don’t forget to build a process around data deletion. Most companies are already worried about how they’re going to store data GDPR considers “private,” but they also have to take into consideration the fact that the consumer (in Europe) has the power to request that their data be deleted. Consider how you will honor the consumer’s “right to be forgotten” with other legal requirements, such as HIPAA.
If you’re found to be out of compliance, you could face a steep penalty: 20 million Euros or 4 percent annual turnover (similar to revenue), whichever is higher. Fines levied will vary based on the nature and duration of the violation, as well as where it occurred. This is because enforcement likely will not be standardized across the EU. Businesses across the globe will be watching to see who the data protection authorities will target first for being out of compliance, and how their punishment will be levied.
Education is key. Your employees may be unsure or unaware of their role in GDPR compliance. Keeping them informed and trained about what their responsibilities are in the wake of these new regulations is critical to ensuring they actually follow them. Most people don’t like something if they don’t understand it!
Be transparent. If you’ve read any of the “privacy change notices” mentioned at the beginning of the article, you’ll notice they’re making an effort to be clear in how they’re using your data. They aren’t trying to be nice–it’s part of the GDPR requirement that organizations must be able to clearly explain how user data is being stored and processed. This means a more thorough understanding by the IT risk and governance teams of how the user’s data is being handled so they can in turn explain it to their users. This may mean a revision of client contracts–anything from a fully signed formal agreement to “I accept the terms and conditions” click-through agreement on your website.
Compliance is always a process–just because you’re compliant now doesn’t mean you can stop thinking about it. As your business changes, you must always think about how you’re collecting, processing, storing and deleting your data. It can benefit you not just from a compliance perspective but a data security and better business value of your data, too.