The GDPR- Steps to Take Now
The European Union General Data Protection Regulation (GDPR) Goes into effect on May 25.
All companies processing the personal data of anyone residing in the European Union, regardless of the company’s location, must comply with these new regulations or face huge fines.
What is the GDPR?
The GDPR is a massive overhaul of Europe's existing privacy regulations. The new requirements mandate a transparency framework that will significantly change how companies handle data. The 241-page regulation focuses heavily on allowing consumers to access their own personal data, and requires that companies document anything having to do with data as well as everything having to do with compliance.
Violations of the GDPR will result in significant fines. Organizations that are non-compliant can be fined up to 4% of their global annual revenue or €20 Million (whichever is greater).
What companies should do NOW
Unfortunately, if your company has done nothing yet, it is likely too late to achieve compliance by the May 25 deadline. However, there are steps you can take toward compliance.
1. Make a GDPR checklist for your organization
Carefully review the GDPR requirements and develop a list of which requirements impact your organization. Make sure all leaders are on-board and aware of what changes need to be implemented.
2. Conduct an information audit
One of the primary requirements of the GDPR is that companies record all data processing activities. Conducting an audit of what types of personal information your organization processes will help you develop effective policies and procedures surrounding personal data.
3. Address data portability
The right to data portability requires that when an individual requests a copy of their personal data, the data is provided in a commonly used and machine-readable format. This ensures that consumers can easily switch service providers- without losing their data. Make sure you have a system in place to comply with these requests.
4. Develop a process for Right of Access requests
The GDPR gives individuals the right to access their personal data, and obtain information about how it is being stored and processed. The ICO provides a great guide to Right of Access. Companies have 30 days to accommodate access requests- make sure that your organization has a process in place to handle these requests.
5. Establish consent
Under the GDPR, consent is not assumed- it must be explicit and verified. The ICO offers a detailed guide to consent that addresses how organizations should obtain and manage consent.
6. Develop an Incident Response strategy
Does your organization have an effective Incident Response plan in place in case your company experiences a data breach? If you do not have a plan in place, you should develop one immediately. The GDPR has specific guidelines for how companies must respond to cyber incidents, including a 72-hour breach notification requirement. If you do not have an existing Incident Response plan, these guidelines are a great place to start. If you already have an Incident Response plan, carefully assess it against the GDPR requirements.
7. Update Privacy Notices
Has your inbox been flooded with User Terms and Privacy Notice updates? Most likely those companies are gearing up for GDPR compliance. Under the GDPR, companies must explain the lawful basis for processing data and update their customers on how they will use their personal information. Updating your privacy notices will likely be one of the last steps to GDPR compliance, as it requires that you have implemented other changes first.
As with any new regulation, there is much confusion surrounding practical implementation, and there will likely be many adjustments as companies and regulators develop a sense of how the requirements work in-practice. Though implementing the GDPR requirements may seem daunting, the sooner your organization starts to dig in, the better off you will be.