Arraya Insights | May 16, 2018
GDPR takes effect on May 25, 2018. Fines for non-compliance can go as high as 4% of annual global turnover or $20M, whichever is higher. The two-year transition period started on April 14, 2016, but like most regulations, it’s been easy to push off until later … well later is now. With just under two weeks to go, it will be difficult to comply with everything if you’re only just beginning the process. If you are playing catch up, below are 5 steps you can take to get on the right track.
Define Your Responsibility
First and foremost, consult your legal department. While online articles are helpful, your corporate counsel is the place to turn for an official take on GDPR. Remember, just because you’re located in the U.S., it doesn’t mean you’re off the hook. For starters, if you are headquartered in the U.S., but you have offices or employees in Europe, you are probably affected. If you’re processing any personal data for any citizen of the E.U., you’re affected. If neither one of these applies to you, consider the companies you partner with. Are they affected? If so, they’re probably going to want you to comply with the law as well.
So what qualifies as personal data? According to Article 4, “‘personal data’ means any information relating to an identified or identifiable natural person.” Examples given include name, ID numbers, location data, and online identifiers. It’s a pretty broad spectrum. So, if you’re storing an EU citizen’s contact information in your Outlook contact list, protecting that information is probably in scope (check with your lawyer first, however). Plus, you’ll have to consider where else any of this data may reside.
Assign a Data Protection Officer
Article 37 requires controllers and processors to designate a data protection officer. Duties for this role include reporting incidents and overseeing compliance with the law. Their contact details need to be readily accessible though, so it’s important to make sure you choose the right person. Any issues that relate to protecting personal data need to include the data protection officer. So, appoint this person early and do so in writing. That way, everyone knows who has this responsibility. Failure to appoint a data protection officer shows auditors you probably haven’t done much to comply with the rest of the law.
Formalize How You Handle Personal Data
GDPR is all about empowering the individual to know and have control over the way their personal information is stored by others. This means you are required to get consent before collecting someone’s information. If an individual requests to know what information you’re storing on them, it’s your responsibility to tell them and (potentially) provide them with that data in a readable format. You also have to be able to destroy (and prove that you destroyed) any personal data as requested by an individual. This is probably easy within your major applications, but what about all the other places that data could be? Think about your backups, your file shares, email … all of that is in scope. If you don’t have full control over your data, now is the time to start that process.
Have an Incident Response Plan
The law states that individuals must be notified within 72 hours of when a business becomes aware that data was disclosed to unauthorized individuals. This means you must have a way to detect if data is breached and a process that you can ramp up quickly to notify all those impacted. Incident response is complicated, but auditors will look at that capability in the event of a complaint against your organization.
Expect Laws to Get Even Tighter
If you’ve avoided cyber security laws in the past (including GDPR), don’t get too comfortable. These laws are only going to get more complex and burdensome. GDPR is a European law, but I have no doubt that, if U.S. lawmakers can increase revenue through laws and oversight, they will do so. If nothing else, GDPR has given them a perfect starting point.
Want to carry on the conversation about how to prepare for whatever attackers – and regulators – have in store? Reach out to us today by heading to: https://www.arrayasolutions.com/contact-us/. From there, we can start a dialogue about your existing cyber security posture and how you want it to evolve.