Ch-ch-ch-ch-changes turn and face the strange ch-ch-changes, were the heart-felt lyrics by David Bowie in 1971 when the world was experiencing a massive change in the pre-computer/internet days. But all may not be so Hunky Dory for companies facing GDPR compliance in today's modern world. And how apropos is it that a famous singer from the UK spoke about changes almost 50 years ago having a global impact that again we face another change from the European Union next year. If your company does business internationally, or stores data from European citizens, this will affect you and the financial implications from not complying will be significant.
In May 2016, the European Union passed the General Data Protection Regulation (GDPR) - a law that sets forth data policies and procedures to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy.
It's one of the most significant changes in data privacy regulation in 20 years - and the impact of GDPR is fast approaching: Businesses must be in compliance by May 25, 2018, or they can face serious consequences affecting not only a company's data but its brand image and customer relations.
Don't think this law applies to you? Think again. You don't have to have an office in the EU or process data in an EU-member state. Any firm - international or local - of any size or industry doing business in Europe or with European customers must comply. If you process data about individuals in the context of selling goods or services to citizens in other EU countries, then you need to pay attention.
Our advice? Act now and ch-ch-change to Meet GDRP Compliance.
Start by digging into the weeds of the GDPR to identify what you need to do to comply and prepare for the new processes adequately. Take a look at the EU's official GDPR page to understand the precise measure you need to take, the enforcement expectations and disclosure requirements. The official document has 11 chapters and 91 articles, so you might want to get started now.
Get a team together to do a data management and information security audit. Discuss which parts of your company are impacted by these new regulations and consider any budgetary resources needed. You can then get an action plan in place to make the necessary changes to comply with GDPR.
The Association of Information and Image Management put together this detailed whitepaper on the Three Keys to Your GDPR Compliance Strategy. It provides tips on how you can focus compliance efforts on unstructured content, metadata, and the user.
Some general areas to start considering include:
- Breach Notification: Organizations are required to notify member states of a breach within 72 hours and customers without undue delay after first becoming aware of the breach.
- Data Portability: The data subject has the right to receive personal data concerning them in a commonly used and machine-readable format and can transmit data to another controller.
- Right to Be Forgotten: The data subject has the right to have their personal information erased, cease further dissemination of the data and potentially halt third-party processing.
- Data Protection Officers: Only required of public authorities and organizations that engage in large-scale systematic monitoring or large-scale processing of sensitive data.
- Privacy by Design: Data protection must be included from the onset of system design, instead of an add-on capability.
Time may change me David Bowie ~Changes
Making these changes will take time, so you need to start as soon as possible. The alterations you make will likely require larger organizational change, which means staff needs time to learn new processes or systems. The GDPR may even be a blessing in disguise - your company will reap the benefits of a more robust information management system and an enhanced data protection program. If you start building up - and monitoring - your data protection process now, it will become incredibly effective when it actually counts.
Because there are no technological or implementation requirements, only broad measures to follow, it can get overwhelming. If you have questions about what your organization needs to do in order to comply with the GDPR, let us know. We are familiar with the necessary requirements and can provide a comprehensive, enterprise-wide approach to data protection.