All companies can learn something from the EU data protection regulation.
The goal of the General Data Protection Regulation is laudable: ensuring data types are well-kept and strengthened protection for individuals throughout the region. Organizations worldwide are preparing for May 25, 2018, the end of the GDPR grace period. While not every organization is subject to GDPR, any company whose business “touches” the European Union and has data about its residents could face a fine equal to 4% of global revenues if it fails to comply.
Aside from the mechanics of GDPR, the regulation presents an opportunity. In this era, data and information drives our ever-expanding digital lives. For enterprises, this means being a proper steward of the data and its consequences is effectively a fiduciary duty not to be taken lightly.
Organizations will almost always learn more about their data and its flow when considering what GDPR has introduced to Europe and how it can help elsewhere. Much of GDPR has applicability to an overall data privacy and data management strategy, and that’s good, especially when you consider the ongoing rise in breaches and mistakes such as companies failing to report them in a timely manner.
So while many U.S. companies and others outside of the EU consider GDPR a burden, it actually is a catalyst for much-needed change and all can learn from it. That there are financial consequences for falling short certainly will make organizations look harder at their practices.
There’s an approach I’ve adopted over the years when it comes to regulatory measures. It’s a mindset that any product or technology isn’t necessarily going to be compliant out-of-the-box; how it’s implemented and audited will dictate success. This is especially true for GDPR, which lacks specific application and technology requirements, instead focusing on the data and associated experience. That said, here are six steps organizations worldwide should keep in mind with GDPR.
Develop a data breach policy. GDPR structures data subject rights around many key aspects, and one specific area of focus for organizations should be what to do in a data breach situation. While no organization wants to be the next headline, we’ve seen how much worse a situation can become when a company botches breach response. Ensure resiliency in the technology to prevent a breach, but also have a plan in place to address one if it happens. The plan should include proper communications, decision-making responsibilities and more.
Implement privacy by design. How data it is transported, backed up, and accessed is critical. To help meet GDPR standards more easily, build data protection into the design of systems. Also consider data minimization, meaning only protect and secure what is necessary. Know what data is where, as well as what is subject to the privacy rules.
GDPR rules travel with the data. One interesting characteristic of GDPR is that above all, the rules apply to the data, even if it leaves the EU. This means if an organization outside of the EU processes personal data subject to GDPR, the rules travel with the data. In fact, rules may be even further tightened depending on which country the data is transported to, so understand your risk.
Historic IT security applies to GDPR. The traditional definition of IT security is to ensure confidentiality, integrity, and availability of data. The same applies in GDPR, and this is evident in Article 32 (1) (b). While this requirement includes resiliency, the need for IT security is clear: Even as specific technologies change, IT security should be taken seriously and reinvested in to remain current.
Identify sensitive data. In this digital world, a massive transition from managing storage to managing data is underway. A key principle of GDPR is defining what is personal data, so it’s critical organizations understand and identify sensitive data that may warrant notification if breached.
The right to know and be forgotten. A pillar of GDPR is the right to erase data, also known as the right to be forgotten. While this applies to personal data, the rest of the world can apply this logic to managing data --specifically, deleting, removing or otherwise retiring it. Many organizations have a difficult time knowing when to delete or destroy data. Having a conversation with stakeholders to confidently address both sides of this question is a good idea.
There is no silver bullet to compliance, but one thing all organizations agree on: going through any type of audit can deliver some painful lessons. Yes, GDPR may seem like a burden, but it's worse to be blindsided because of a lack of understanding. Take the time to understand GDPR and you'll see how it can mean sizeable benefits, whether it impacts your organization directly or not.