Now that it's been six months into the 24-month transition period of the General Data Protection Regulation (GDPR), you’ll want to consider how to store and collect an EU citizen’s private information. And before you think the new rule doesn’t apply to you, keep in mind the regulation applies to all businesses that hold and process data collected in the European Union, regardless of location.
It’s key to identify the changes you need to make before GDPR goes into effect on May 25, 2018. You’ll want to prepare now, instead of trying to catch up later, which could mean a lengthy audit and hefty fines—and by hefty, think 4 percent of your global revenue wasted on a potential GDPR fine. Yikes.
Based on the Information Commissioner’s Office’s 12 actionable steps, here are key questions to ask that will prepare you for the GDPR:
1. Do Key Decision-makers Know Where Company Data Is Kept?
This may seem like a simple one, but awareness is the first step in assessing your risk. Key decision-makers should understand what to do with their current data and at what level. First up, you’ll need to document where data is stored, whether it’s encrypted and if it’s stored in the EU. This may require IT teams to do a data assessment report, finding and documenting sensitive PII data for future regulatory and compliance audits. Be sure these processes are done in a legally defensible manner.
2. What Personal Data Do I Currently Have?
Document the private data you have right now, where it came from, and who you shared it with, which may be in the form of an information audit. Check your procedures to include how you would delete personal data electronically in an accessible format. It may be wise to consider a Data Protection Officer to oversee this process for you and other company members.
3. What Would I Do If There Were a Data Breach?
Staying in the dark about data breaches won’t prevent them from happening. Make a rock solid security incident response plan with clear procedures for detecting, investigating, and reporting data breaches as soon as they happen. A dedicated data breach response team can also lead this plan.
This is the best time to review your current privacy notices and understand who governs your practices nationally or internationally. Once you realize where you’ve been, you’ll be able to make needed changes to comply with full GDPR implementation. Companies can keep people better-informed so they’ll understand retention terms, profiling considerations, and processing reasons when it comes to personal data.
5. What Are Best Privacy Practices for My Clients?
You may already have check boxes and forms for clients to fill out and agree to your privacy terms. But are they up-to-date? Ensuring you implement the latest, most thorough consent forms for sensitive data, especially special data considerations involving children, can help you sleep easier at night. Easy-to-read, customized online forms, consent boxes, and app confirmations can ensure consent stays valid in the future and through the GDPR’s full implementation.
6. Um, How Much Was That GDPR Fine Again?
To put it in dollars and cents, data breaches can cost US companies up to $22 million or 4 percent of global annual turnover, whichever is greater. There’s even a second tier for data breaches that European authorities can impose on US corporations of up to $11 million—or 2 percent global annual turnover, also whichever is greater.