Companies only have a few months left to prepare for the new European #DataProtection Regulation. On 25 May 2018, all companies managing personal data of citizens of the European Union will be required to comply with the new regulations and requirements of the General Data Protection Regulation (GDPR).
This regulation will impose significant new obligations on companies that manage personal data, as well as severe penalties for those who’ll violate these rules, including fines of up to 4% of global turnover or € 20 million highest amount being withheld.
Few months left before the entry into force of the Regulation, yet many companies have not started preparations and will have to develop and implement a compliance strategy. To facilitate their journey, we’ve listed, here below, eight rules to follow.
Understand your Data
The first step to comply with the GDPR is to understand how personal data is stored, processed, shared and used within the company. Through careful auditing, you will need to compare existing practices with the requirements of the new regulations and identify the changes needed to ensure your business in the way that best suits you. Remember that the obligations of the GDPR do not only apply to the strategies and measures put in place by your company but also extend to the providers who process personal data on your behalf.
Determine who is responsible for data protection
If some companies will have to appoint a data protection officer, everyone working within the company will have to adopt a data protection compliance program. Data protection officer may need to strengthen his strategies in this area and train his staff.
Please note that not all companies will necessarily have to appoint a Data Protection Officer, but good practice suggests that such a delegate is essential for companies that engage in two types of activities: large-scale processing of specific categories of data and large-scale monitoring of data, such as behavioral advertising targeting.
Ensure a legal basis for Data processing
Your company will want to examine the legal basis on which your strategy for handling various types of personal data is based. If it is based on consent, you will need to identify the method used to obtain that consent and will have to clearly demonstrate how and when that consent is given. Relying on consent means that data subject can withdraw his/her consent at any time and that data controller must then stop any data processing activity about this data subject.
Understand the rights of the people concerned
In accordance with the GDPR, any person whose data you process is given new rights, including the right of access to personal data, the right to correct and delete such data, or the right to portability of personal data.
Can your business easily locate, delete, and move customer data? Is it able to respond quickly to requests for personal data? Does your company, and the third parties that work for it, keep track of where these data are stored, how they are processed, and who they were shared with?
Ensure confidentiality from conception
As part of the GDPR, companies are required to implement a confidentiality strategy from the design stage when developing a new project, process, or product. The goal is to ensure the confidentiality of a data’s project as soon as it is launched, rather than implementing retrospective confidentiality measures, with the aim of reducing the risk of violation.
Have you limited access to personal data to those who need it in your business? A data protection impact assessment is sometimes necessary before processing personal data.
Be prepared for violation
Your company will need to implement appropriate policies and processes to handle data breaches. Make sure you know which authorities you will need to report any data breaches, as well as the deadlines. Any breach may result in a fine. Put in place clear policies and well-practiced procedures to ensure that you can react quickly to any data breach and notify in time where required.
Communicate the main information
Collaborate with your suppliers
GDPR compliance requires an end-to-end strategy that contains vendors processing personal data on your behalf. The use of a third party for data processing does not exempt companies from the obligations incumbent on them under the GDPR.
With any international data transfers, including intra-group transfers, it will be important to ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognized as having adequate data protection regulation. Verify that the third-party data processor on your behalf has established strict data protection standards, has extensive experience in the field of large-scale data security management, and it has tools to help improve data governance and reduce the risk of breach.
Ensure your vendor meets globally recognized standards for security and data protection, including ISO 27018 – Code of Practice for Protecting Personal Data in the Cloud. Ask your vendor to provide you with all information about the network and data security who resides there (for example, its encryption policies and controls in place at the application level), its security policies, as well as its training, risk analysis, and testing strategies.