The General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, officially went into effect on May 25, 2018. And it’s causing U.S. businesses in every industry to prepare for enforcement. GDPR brings forth important policy updates to the way organizations across the globe secure and handles personal data.

Whether you’re a hospital that has patients who live in the European Union or you’re a legal firm with clients in the EU, you’re required to meet the new GDPR standards.

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in European Union law on data protection and privacy for all individuals within the EU and addresses the export of personal data outside the EU.

Although this regulation was initially adopted back in April 2016, it became enforceable May 25, 2018. GDPR is important for businesses as it syncs all data protection regulations throughout the EU, making it easier for non-European companies to comply with these regulations. During a time where there is large economic value of personal data, the GDPR brings a new set of digital rights for EU citizens.

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

These new regulations make no distinction between personal data about individuals, whether it’s private, public or working roles. In a B2B environment, it’s about individuals interacting and sharing information with each other. People in organizations obviously make the business, but the interactions between the individuals are exactly that – people are people.

Does GDPR affect me?

Most likely, YES.  If not right now, it very likely will soon, so it’s wise to go ahead and take some initial steps to prepare your organization for future compliance.  Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.

Does your organization need changes?

Here are a few things to look for to equip your business with the tools it needs to be compliant with these new regulations

  • Implemented by the European Union (EU), GDPR has a global impact, affecting companies around the world, not just in the EU.
  • Beyond new responsibilities for businesses, GDPR defines new rights for individuals including more involvement with the information a business manages.
  • Non-compliance now carries more serious risk ranging from mandatory periodic audits to fines.
  • Implementing an Enterprise Content Management solution can help businesses reach GDPR compliance with enhanced document security.

It’s time to tighten up policies and procedures so your business meets the GDPR requirements. Whether your organization operates in the European Union or works with an organization that does, GDPR will have an effect on the processes in which businesses access, share, and protect business data.

Is your organization prepared for GDPR?

Here are a few things to consider:

  • Understanding the impact of GDPR, and risks of non-compliance
  • How GDPR applies to the way businesses manage client information
  • The importance of having a GDPR-compliant document management solution

If you ask most SMB owners and leaders, the understanding of these items is not concrete. In fact, in a study of more than 800 IT and business professionals that are responsible for data privacy at companies with European customers, Dell and Dimension Research found that 80% of businesses know few details or nothing about GDPR and 97% of companies don’t have a plan to be ready for GDPR.

What can I do to prepare for GDPR?

While there are many things you will need to do later, there are some key steps you should take now to be ready.  Each of these are aspects of a healthy data governance program that should be in place:

1 – Document your Data

One of the most common issues organizations face is not having a clear audit trail of what data they have and how it can be accessed.  As organizations experience rapid growth, they typically trade off security and management policies for “speed to decision-making,” subsequently providing access to a wider group of people and groups, without having a clear audit trail for the flow of this information.  If your organization is ever required to perform an information audit, you need to be ready to identify where and how the information came to rest in that location.  This is similar to processes in the food industry, where manufacturers must be able to track the product down to the “lot level” when a recall happens.

The best way to document your data is through a Data Catalog system.  There are many available on the market today that have its own unique features.  Each will in various ways, address the gap present in many companies to providing the information audit.  The additional advantage data cataloguing has is in the effort to democratize data in an organization.  Making information available to the people who need it and performing critical and timely analytics is an essential characteristic of a data-driven company.  Don’t be left behind not having your data catalogued.

2 – Refine and Document Data Access Policies

In today’s fast-paced organization, sometimes people just “need access” to get the job done.  However, the risks are far too great to simply provide the access without proper justification or visibility into how the data will be used and for how long.  The best way to do this is to create an audit trail of data access control data.  Some data catalog products can provide this feature.

You should also identify through your data governance initiatives the process by which individual data access requests will be processed.  This provides an appropriate approval/denial process for each request and documentation on what was requested.

3 – Build Compliance into your Data Design

If you are unsure of whether your current systems have enough features built-in to comply with the coming laws, consider a Privacy Impact Assessment (PIA) to ensure you do comply.  While, it is outside of the scope of this blog to fully outline, the Information Commissioner’s Office (ICO) has released the Code of Practice for PIA, which includes how to perform it, as well as templates to assist in the process.

Going forward, regardless of your own organization’s requirement to meet GDPR guidelines, data should be considered, valued, and protected as the asset that it is.  This Privacy Impact Assessment could prove to be a guide in achieving a level of compliance.

4 – Stewardship

Lastly, a data-healthy organization with a solid data culture and governance process in place, will ensure that data stewardship is a priority.  Each area of the system should have controls and accountability to data quality and user access.  This will ensure the organization is making good decisions with good data.

As an organization, you should also consider a “Data Protection Officer” (DPO) role, as someone who would be ultimately responsible for all the stewardship of data within an organization.  Much like a CFO or Controller governs monetary assets, the DPO will provide the necessary oversight and accountability that organizations will need in the future.

Why the GDPR Should be on Your Radar if You’re in IT

So, what should organizations be preparing for in regards to the new GDPR requirements? Here are a few important keys to consider if you maintain information for any EU citizens:

    1. The GDPR requires strict adherence to individual consent while acquiring their personal details.Many of the current U.S. regulations are organization-centric and are mainly targeted at protecting an individual’s information from a security breach. The GDPR takes consent to a new level. It requires the organizations must get an active consent from the individual before storing any of their personal details in their database.
    2. The GDPR includes a right to be forgotten rule worth noting.With current regulations, an individual’s record that is in the organization’s database cannot be erased simply because the person wants to. The GDPR allows individuals a right to erasure, although what must be done is not black and white.
    3. The GDPR emphasizes compliance, risk activities, and high-security storage.Similar to many of the current regulations, the GDPR provides strict guidelines when it comes to implementing a risk-based approach to data processing and measuring the effectiveness of privacy and security compliance controls. With the GDPR, it is mandatory for organizations to deploy adequate security, encryption, pseudonymisation, redundancy, and intrusion detection mechanisms in order to ensure that constituent data is not compromised in any way.

Is Your Organization Prepared for GDPR Enforcement?

In many ways, GDPR takes cybersecurity to a different level for certain organizations. It’s going to be just as significant, if not more, than the current industry regulations.

Making sure your organization is aligned with the data handling requirements of the GDPR before the enforcement date of May 25th is critical. In addition to familiarizing yourself with the GDPR requirements, it’s important to map those requirements to your organizational policies and procedures. This is where our team at LBMC can help.

LBMC provides many options that can help you with your data woes. We have GDPR compliance services, data insights services and various software solutions to meet your business needs.

Please contact us today for more information about GDPR compliance and how technology can help.