Three Things Companies Must Do to Prepare for GDPR
May 25, 2018. That is the date the European General Data Protection Regulation (GDPR) goes into effect. GDPR is a European Union (EU) regulation which outlines and mandates proper handling and compliance for personal data of EU residents. There are still several open interpretations regarding operational requirements and detailed guidance to be fully compliant, but there are strict penalties. Companies found to be non-compliant with GDPR can be fined up to 4% of their global annual revenue or 20 Million Euros, whichever is higher. It is also assumed that less than 50% of global companies and organizations will be fully compliant with GDPR regulations by May 25, 2018.
The focus for GDPR regulation is to stress a guideline and mandatory practices to protect privacy and personal data. Personal data can be interpreted to be any piece of information that can lead to the specific identification of an individual. Examples can be addresses, employee ID numbers, IP addresses, social security identifiers, or transaction records. While privacy is the key, there are underlying needs for every organization around security to protect their customers and consumers personal data. At a high-level here are three things companies must do to prepare for GDPR:
Identify and Secure Personal Data
Companies and organizations must have a full scope of the personal data retained for customers and consumers. The key records of consumers, accounts, and information must be understood, located, and specified for the legal, IT, and security teams within the company. By having a clear assessment of the data retained by the company, an IT department can identify areas and applications where data is stored, transferred, and shared to reduce the visibility or availability of the data outside of resources that need the access. The company’s security team can restrict internal and external access to all resources within the company to further reduce the risk of available personal data to that outside of the organization or those attempting to hack company systems, networks, or devices. The company’s legal team can understand and manage the risk of the company appropriately through its terms and conditions with customers and vendors.
Establish GDPR Compliance Quickly
The penalties for non-compliance with GDPR are severe. The loss of customer trust can be much more severe and damaging to a company’s reputation. Compliance is a requirement for those companies that secure data for EU residents in Europe or abroad. If any services are provided for EU residents, GDPR compliance is mandatory. This is a daunting task. Full assessments are required. Awareness and communication is needed within the business, across products and services, and between departments. Companies must invest in GDPR privacy and security readiness assessments to avoid non-compliance. By working with security and privacy experts and consultants through Unisys, companies can reduce the amount of time to meet compliance standards dramatically.
Monitor and Maintain GDPR Compliance
In a world of evolving cybersecurity threats and developing technology, maintaining an environment that is fully compliant can be extremely challenging. Performing an assessment and establishing compliance with GDPR regulations is fantastic. However, the final step is to ensure that your organization monitors and maintains compliance. Companies need to implement a security framework throughout the organization which will review, detect, and report any potential violations for a quick resolution. Continuous monitoring and maintenance by employing managed security services from proven experts is a primary method to meet this requirement.
Achieving and maintaining GDPR compliance requires strict implementation of technical and organizational measures to identify, control, and manage personal data within your organization.