As the May 25, 2018 implementation date draws nearer, it’s only becoming increasingly important to kick off your General Data Protection Regulation (GDPR) strategy. The sweeping new privacy requirements not only affect organizations headquartered in the European Union (EU) but any global company that processes data of EU citizens or offers them goods and services. With hefty fines of up to 4% of your annual global turnover or €20 million for violating regulations, you won’t want to risk the expensive consequences of noncompliance.
GDPR provides one single privacy standard for all EU member states. It aims to increase protection of ‘data subject’ information — that is, any information that can be used to directly or indirectly identify a person such as date of birth, credit cards, social security, etc. — as well as giving citizens more control on how businesses use their data. GDRP doesn’t just impact IT systems; it also affects processes, organization, and compliance. For example, larger businesses will need to appoint a Data Protection Officer (DPO) in their organization, and, all teams handling ‘data subject’ information will be imposed to new processes and will need to be trained in the new privacy rules.
In addition, GDPR doesn’t just affect businesses in the EU. All and any companies doing business in the EU and consequently handling ‘data subject’ information are required to comply. Large corporations such as Microsoft have already begun the journey to ensure compliance, but smaller businesses such as e-commerce platforms must also take the necessary steps, or risk serious consequences.
It’s possible that the US might adopt regulations similar to GDPR in the future, though it’s hard to say for sure. There are certainly mixed signals, and privacy has a different tenure in the US versus in Europe. Critical events such as the Equifax breach, however, are serving to increase awareness and concern for privacy matters in the US. As a large number of US businesses will need to adopt GDPR for their EU activities, they will already be well-prepared in case the US also adopts stricter requirements. The EU commission is already counting on the fact that other nations, such as Japan and Australia, will soon adopt regulations similar to GDPR.
While GDPR is a regulatory requirement, it doesn’t necessarily offer crystal-clear, practical guidance for what businesses should do; it requires a bit of interpretation. IT, on the other hand, isn’t really open for interpretation; most decision making is relatively straightforward. Here are some tips to help you translate GDPR requirements into actionable guidelines for your IT systems:
- Secure the authentication process. Implement Multi-Factor Authentication (MFA) for access to (sensitive) data and applications. MFA requires several separate pieces of evidence as an authentication mechanism for the login process, which is a far more secure approach than a simple username-and-password combination. Equifax, which just suffered a data breach that potentially affected 143 million people, reportedly used the word “admin” as both the username and password for a South American database.
- Encrypt data connections. This means not only running all websites in HTTPS but also ensuring that the data traffic generated from your workspaces (e.g., each of your employee’s devices) are encrypted. We live in a world in which employees work from all kinds of locations and use public WiFi networks at Starbucks, hotels, airports, and more. Sending potentially confidential data in plain, unencrypted formats is simply not acceptable.
- Don’t store sensitive data on end-user devices. This includes laptops, tablets, smartphones, or any other device your employees use to work. Not only are these devices easily stolen or lost, but it’s almost impossible to manage decentralized and duplicate data.
- Audit usage and access. Make sure you know who has access to your “data subject” information, and have adequate monitoring in place so you can track potential anomalies. Start mapping where ‘personal data’ is used throughout your entire business. What does the data consist of? Who has access to it? What is the level of risk associated with this data? Where does it reside? Is it centralized in a single database, or are there copies in multiple locations?
Businesses both small and large must build security protocols and safety nets into the very DNA of their IT infrastructures, rather than simply layer them on as an afterthought. In addition, you should think about having a system or protocols in place to quickly and accurately notify individuals and authorities in the event of a breach.
The journey towards GDPR-compliance requires the right knowledge and expertise, as well as the right resources. Luckily, there are many experienced service providers that can assist you with your company’s transition, and help you to select the right solutions to streamline the process.