General Data Protection Regulation (GDPR), which takes effect May 25, 2018, is designed to unify data privacy requirements across the European Union (EU). If you market to, store, or process the personal information of EU Data Subjects – which include end users, customers and employees, this applies to you.
These expanded regulations require companies to ensure the highest level of privacy assurance or they could suffer severe financial consequences. The EU has taken great steps toward protecting consumer privacy, and now they are taking that protection to new heights by enacting regulations that could see companies fined up to 4 percent of their annual total global revenue.
GDPR provides protection to EU citizens regardless of where the data is “traveling” or ultimately housed. That means that any company that interacts with EU citizens is beholden to the regulations. This is not a regulation you want to be in the dark about!
If GDPR hasn’t been on your radar, check out Tech Republic’s 10 things to do right away.
What is GDPR?
GDPR replaces a previous law called the Data Protection Directive and is aimed at standardizing rules across the EU and aims to give consumers complete control of their data collected by companies. GDPR prevents companies from lumping dozens of disclosures and consent forms into a single “I consent” checkbox. This has been deemed too far-reaching and confusing for users so consumers must be given the ability to consent to different items individually. Equally important, consumers must be able to easily withdraw their consent at any time.
One of the most relevant regulations is that it is now mandatory for companies to notify their data protection authority about a data breach within 72 hours of becoming aware of it. Customers must be made aware at the earliest possible time as well.
The GDPR provides a long list of “Data Subject Rights” including:
- Breach notification
- Right to access
- Right to be forgotten
- Data portability
- Privacy by design
- Data protection officers
To see the full list, click here.
How can a company be GDPR compliant?
Block all EU consumers! Okay, that’s not exactly practical (not to mention it would be bad for business). Companies must provide users the ability to control, monitor and delete any of their personal information. Also, companies must implement” Security by Design” to ensure that appropriate IT controls are in place to protect privacy data, privacy data is being handled correctly and given the utmost care to maintain its privacy. Because of these added processes, this will likely mean that many companies will be forced to add personnel.
Here are some ways your team can help prepare for GDPR compliance:
- Conduct GDPR Assessments
- Assess Security Current State and Identify Vulnerabilities
- Design Policies, Business Processes and Supporting Technologies
- Create Security Remediation and Implementation Plan
- Implement and Execute Policies and Processes
- Automate Data Subject Access Requests
Learn how enVista’s Information Technology team can help you get geared up for GDPR implementation and compliance.