October 31, 2017
Is your company ready?
Data privacy rules in Europe are about to change and they may impact your security practices even if you’re not located in a European Union (EU) country.
The General Data Protection Regulation (GDPR) is replacing the Data Protection Act, and everyone has until May 25, 2018 to put new data management processes in place. With non-compliance fines of up to 4% of global annual revenue, companies need to prepare.
Here are important steps organizations should take.
o Make sure the company knows: Even though this is an EU regulation, all companies, anywhere in the world, that hold, transmit and process personal information about individuals who live in the EU must comply. Buy-in from decision-makers in organizations is important so that GDPR policies and procedures are adopted.
o Put someone in charge of compliance: While every workplace should have a security lead, under GDPR certain types of organizations will have to formally appoint a Data Protection Officer.
o Manage personal data – and individuals’ rights: Document the personal data the company holds, where it’s from, and who it is shared with. Procedures must cover all the rights individuals have under GDPR with the right to data portability being a new requirement.
o Review consent practices: Consent to hold personal data must be clearly documented. Make sure there are clear ‘opt-in permissions’ as the new regulation will not accept failure to opt out as sufficient consent. Also, it must be as easy to withdraw consent as it is to give.
o Highlight children’s data – and consent: The GDPR provides special protection for children’s personal data. A parent or guardian’s consent for children under 16 may be required.
o Update procedures for information requests: The legislation allows individuals to request information about their personal data. Consider all the logistical implications for how requests are handled.
o Adopt ‘privacy by design’: The regulation has a ‘privacy by design’ requirement that calls for data protection from the onset of collection. Collect the minimum amount of information, and consider privacy at the planning stages of projects. A Data Protection Impact Assessment (DPIA) may be mandatory in certain circumstances.
o Be more proactive about data breaches: Put procedures in place to detect, report and investigate data breaches. Under GDPR, notification to the ICO for certain types of breaches will be mandatory; in some cases, individuals will have to be notified too.
o Provide secure information destruction: GDPR’s ‘right to be forgotten’ means organizations can’t keep personal information for any longer than necessary. They must delete or remove the information at the owner’s request. Partner with a document destruction company for secure information disposal of both paper and digital data. A Shred-it All Policy specifies that all documents are securely destroyed when no longer needed.