What is GDPR?
GDPR stands for General Data Protection Regulation. It’s a sweeping new law that will soon come into effect in the EU and will apply to any company that collects and processes data belonging to European Union Citizens, even if it’s done outside the EU. The law even applies to foreign companies with operations in the EU and or even just a website or app that collects and processes the data of EU Citizens.
The law will be almost identical in all of the 28 member states of the EU, which is great because companies will only need to comply with one standard. The legislation will cover privacy rights, data security, data control, right to erasure, breach notification, risk mitigation and due diligence. GDPR sets a high standard that will likely force most companies to invest plenty of resources to ensure compliance. And comply you should, as failure could result in hefty fines of up to 20 million Euros or 4% of a company’s worldwide revenue if found to be guilty of a breach that compromises an EU citizen’s data.
Two main points about compliance stand out: companies are required to notify EU authorities within 72 hours of a breach and are required to prove that the company’s information security approach is state-of-the-art.
How to Ensure Compliance
We have prepared a six step process that organizations can use to prepare for GDPR and ensure that they are compliant.
1. Understand the Law – Make sure that you understand your obligations under GDPR as it relates to collecting, processing and storing data, including the many special categories that the legislation covers.
2. Create a Road Map – Perform data discovery and document everything from research, findings, decisions, actions and risks to data.
3. Know which Data is Regulated – It’s necessary to understand whether or not data falls under a GDPR special category. Then, classify who has access to different kinds of data, who shares it and which applications process that data.
4. Start with Critical Data and Procedures – Assess risks to all private data and review policies and procedures. Enforce necessary security measures to production data containing core assets and then extend those measures to backups and all other repositories.
5. Assess and Document Other Risks – Investigate any other risks to data that may have been missed by your previous assessments.
6. Repeat and Revise – To avoid any slip ups its essential to revise your process and repeat it a number of times to ensure that all your bases are covered.
For further guidance and detailed advice you should speak with a qualified and respected legal advisory firm like us so that you can gain a full and in-depth understanding of GDPR and come up with an action plan that’s tailored to your particular organization.
While the new legislation may seem scary at first, there is a bright side to it. GDPR will provide organizations with an excellent opportunity to upgrade their security capabilities to both meet regulatory requirements and generally improve overall security with regard to data confidentiality and privacy, which has become a huge concern in the modern world.