For GDPR, apply Yankee ingenuity
EU’s General Data Protection Regulation (GDPR), which goes into effect in less than a year, has implications for US companies. According to the regulation’s site, GDPR “applies to all companies processing and holding the personal data of data subjects residing in the European Union (EU), regardless of the company’s location.”
In other words, if your company holds personal data on people who live in the EU, you must be in compliance with GDPR by May 2018 or risk being fined four percent of annual global turnover (or 20 million euros) for violating the regulation. So if you have customers or employees living in Germany, Italy, France, Spain or 24 other countries in the EU, now is the time to consider GDPR compliance requirements.
To be GDPR compliant, you’re required to keep track of people’s personally identifiable data, including name, photo, email address, bank details, social media posts, medical information, and computer IP address.
You also have to manage requests related to the right to be forgotten, from tracking down the records to removing them from your systems. After you do that, you need to have a process in place to generate a document trail that can pass the auditor test.
GDPR also stipulates companies appoint a Data Protection Officer (DPO). This applies to public authorities, organizations that engage in large-scale systematic monitoring, or organizations that engage in large-scale processing of sensitive personal data.
This isn’t laissez-faire. It’s a serious Digital Age compliance challenge that will create an estimated 220 new controls. Just think of the data privacy challenges faced by financial services and healthcare organizations under pressure to maintain the privacy of millions of customers and comply with regulations like GDPR.
Don’t panic yet
In a recent webinar, Amanda Chandler, Global Privacy Manager at Vodafone Group Services Limited in the UK, recommended treating GDPR as a transformation project, not just something for the lawyers. Her advice: perform gap analyses. Create action plans to close gaps. Broaden the awareness internally.
At first, GDPR sounds like yet another regulation for business. In reality, it builds on existing privacy regulations. Most organizations have privacy policies and procedures. In ramping up for GDPR, an organization can close the gaps and perhaps prevent future privacy breaches.
“It affects all functions of an organization, not just legal or HR,” said Chandler. “It creates an opportunity for a competitive advantage.”
For a primer on what GDPR means for your organization, check out McKinsey’s article on tackling GDPR before time runs out.
Solve GDPR with enterprise GRC software
Enterprise GRC software offers inherent advantages with GDPR compliance. For example, Keylight, a GRC platform, provides an integrated approach that empowers organizations to manage risk of every type, from operations and third parties to information security and privacy. Third parties are significant because as controller of a person’s personal data, you’re liable for the actions of processors and their compliance with GDPR. As processors of personal data, third parties should be assessed regularly for GDPR compliance.
GRC platforms are an efficient way to manage privacy data across an organization with European customers and/or employees. GRC technology can track and find all the records associated with an individual, as well as manage for exceptions like people exercising their right to be forgotten. From documentation and record-keeping to reporting and auditing of personal data, GRC software is built for it.
Keylight users also have access to citations and guidance for a number of privacy and data regulations around the world, including GDPR. It gives users a head start on compliance.
Sound the alarm
GDPR regulation goes into effect on May 25, 2018. U.S. companies with customers or employees in the EU, the privacy regulation applies to you. It’s not time to hit the panic button, but it is time to sound the alarm and work on GDPR readiness.