Share this article on:
With the May 25, 2018, introduction of the General Data Protection Regulation (GDPR) fast approaching, enterprises and organizations must ensure they are up-to-date with and understand the emerging GDPR compliance best practices. As the penalties for GDPR violations are quite severe, it is in the interest of all concerned groups to put these best practices into place.
Aside from avoiding sanctions, following GDPR rules can boost a company’s image among consumers. Robust protections and confidence in data security may lead people to more freely share their data with organizations, without them worrying as much about the risk of information breaches. Having said all this, we now present some GDPR best practices which your group may consider implementing.
What is the Purpose of the GDPR?
A simple but often overlooked first step is taking the time to understand what the purpose of the GDPR is. People follow rules more readily when they know why they are being put in place. A central goal of the GDPR is to allow individuals based in the EU to have more say in how their information is collected and used. It also maintains peoples’ right to request a copy of their data, but has narrowed organizations’ deadlines to comply with requests to 40 days. People can now request changes to their data, and have the “right to be forgotten” – to have their information erased – unless certain circumstances require the information to be kept.
The GDPR will introduce a common approach to how data is protected across EU nations. Though state governments will still be able to legislate some aspects and apply sanctions, greater collaboration between agencies is anticipated. This will allow for more streamlined management and processing of data from EU countries.
What Does GDPR Mean for You?
While entities may be aware that the GDPR will soon be implemented and what data it will regulate, they will still need determine if and how their activities will be impacted by it. There are a lot of groups still unsure of whether they are covered by the new law. The majority of organizations will be impacted. Some of the main items to clarify are that:
– The location of the data subjects – the people who the data is about – determines if you need to comply with the GDPR. If you are based in China, for example, but process the data of individuals in the EU, you need to comply with the GDPR.
– Organizations with more than 250 employees must designate a Data Protection Officer
– Smaller organizations that regularly process personal information or that process potentially sensitive information (as referenced in GDPR Article 9), are also subject to the GDPR.
Understanding the GDPR and how it can affect your activities is crucial. Without fully grasping this, you cannot be sure of complying with the law.
Conduct Data Audits
The GDPR will modify data processing regulations in a number of ways. A central element is consent. Outside of certain legal procedures, individuals must provide informed consent in order for data to be processed. Data may only be used for specified purposes and stored for the minimum amount of time for these to be achieved. Also, individuals must take an action of some description, either by giving consent orally or actively checking a box providing consent. “Automatic” consent or giving an option to uncheck a box authorizing consent is not allowed.
Any personal information that your organization currently stores must be audited to classify it, verify consent has been granted, and that it is in line with the GDPR.
Implement Data Management Procedures
The audit should allow you to identify the information you are storing, where and how it is being stored, and how it was collected. It should also tell you whether you can continue storing the data and the person in charge of managing it. If you cannot do this, you must introduce processes that will allow you to do so.
To comply with the GDPR, data can only be kept for the duration and goal for which it was gathered. If the goal has been achieved, in the absence of any other legitimate reason to keep the data, then it must be erased. Streamlining the amount of data held can also reduce the fallout should a data breach occur.
Verify Reporting Processes are Adequate
It is critical for groups to document their actions in order to demonstrate their compliance with the GDPR. This documentation should include the internal processes, procedures, and controls. It is a somewhat “guilty until proven innocent” situation where even without outward signs of violations, data protection authorities may still require proof that all is above board or they may impose penalties.
Assess the Risks Associated With Your Data
Risk assessments can help the company identify and address potential weaknesses in their data management and infrasecurity structure. Data Protection Impact Assessments are a required part of GDPR for some groups and aids them in determining the risks they face and the possible damage they could be caused should a breach occur. All entities must take steps to minimize the risks they find.
In the rare cases where it is not possible to reduce the risk, it is still possible to take action. A best practice is to contact the data protection authority for advice prior to processing the data.
Be Sure to Appoint a Data Protection Officer
As noted above, data processing entities employing over 250 people must appoint a Data Protection Officer. While there may be a shortage of experienced people with the introduction of the law, the GDPR does not state that any qualification is necessary and an unqualified person may be designated to fill the position.
Experienced or not, the role remains the same and a strong understanding of the GDPR is required. Some GDPR training may be needed, which is best to do before the GDPR comes into effect to ensure compliance. The Data Protection Officer is responsible for, among other things, creating procedures for data management and data protection. The role of the Protection Officer can be outsourced, but groups choosing this route must ensure the contractor complies with the GDPR themselves. This is because the external Officer will be considered a data processor under the rules.
Inform Employees of the GDPR Best Practices
While it is important that management and higher level staff know how the GDPR will impact activities, this knowledge must be passed along to all levels of the organization. As every employee will play a part in ensuring compliance, every employee must understand their duties and responsibilities. As a best practice, GDPR training should be considered for the entire workforce.
Create a Practical Breach Reporting Plan
Despite robust procedures and strict data management, breaches may still occur. Given the harm that can follow a breach, particularly when international groups are concerned, the GDPR requires data breaches to be reported within 72 hours.
As this is quite a tight deadline, companies should prepare detailed emergency plans to ensure the right people are contacted and the right procedures are followed in the right order. The old maxim of “hoping for the best but preparing for the worst” rings true here.
With time running out before the May 25 introduction and many enterprises still feeling unprepared, it is essential for you to take action, to implement these best practices, and to get your procedures in place as soon as possible. Don’t let yourself be caught out! The GDPR carries hefty penalties for those who aren’t compliant, and this is not a position where you want to find yourself in June 2018, or at any other time.