While there are borders between nations, the world is integrally connected. That is perhaps nowhere more evident than in the marketplace of the Internet. The interconnection that the Web allows also means that security is a huge priority, since no one wants anyone who is unauthorized accessing their confidential data. Sometimes legislation will be passed that impacts the way sensitive information is treated. If the body making these decisions is large enough, the simple passing of a new set of rules can have a seismic influence on global business and the ways that information systems are defended.
A good example of this kind of law passed in the United States is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. While HIPAA compliance is technically limited to protecting the health records of US citizens, it has a broader effect because companies headquartered elsewhere must have their systems adequately secured to meet the needs of any US patient data. Similarly, GDPR compliance is necessary for all global companies related to the data of European customers.
If the General Data Protection Regulation sounds new, it was actually passed on April 27, 2016 – so there were 25 months given to organizations to prepare for the May 25, 2018 effective date. It is reasonable that many companies have not understood that they could have to meet the needs of a law passed by a foreign entity.
What is the GDPR?
The General Data Protection Regulation is a wide-ranging new law that mandates reasonable protection of data of citizens within European Union countries that is handled by any businesses, no matter where (i.e., Europe or otherwise) the information is gathered, processed, or stored. Both organizations that have business established in European Nation member states and digital entities (apps and websites) that interact with the sensitive information of European citizens must be GDPR-compliant, as indicated by Leslie K. Lambert.
If you want a little bedtime reading, the GDPR can be read in all its glory in the Official Journal of the European Union – see Regulation (EU) 2016/679 of the European Parliament and of the Council.
7 steps to GDPR compliance
If you have not had a chance to evaluate your systems and update them to reflect the new needs of the GDPR, here are simple steps you can take to achieve compliance:
#1.) Establish a GDPR team and data protection officer.
GDPR compliance should be an organization-wide concern. Align a group of people from various departments and roles (including IT, risk, finance, and marketing) who will each serve different functions in the adoption of these new parameters. The GDPR mandates the assignment of a data protection officer at firms or agencies that perform high-volume handling of confidential personal details or criminal backgrounds, or that conduct high-volume routine and frequent tracking of the people to whom the data applies – called data subjects.
Assuming you do not meet those stipulations and are not required to have a DPO, you may still want to assign a DPO or GDPR compliance officer so that your efforts are more straightforward, as indicated by UK attorney Rachael King.
#2.) Consider your accountability.
You will be reviewing the way that you treat data, both through your own means and through others acting on your behalf. You can better understand the GDPR, suggested Luke Irwin of IT Governance, by looking through the lens of accountability. Ask yourself the following questions related to all data you store:
- Why is the data being stored?
- Where did you get the data?
- Why did you initially collect the records?
- What is the timeframe for retention of the records?
- Is the information well-protected, through both encryption and access restrictions?
- What are the circumstances through which sharing with other entities occurs?
#3.) Prioritize your customers’ privacy rights.
Once you’ve taken a hard look at the way that your organization is storing and retaining information, turn and look directly at the rights of individuals, as newly mandated by the GDPR. In other words, become familiar with the privacy concerns that are the driving force behind this key law. Institutions that gather and retain data of (EU-residing) individuals have to respect certain privacy rights, which include:
- Right to deletion (ability to remove records)
- Right to access (ability to view records)
- Right to portability (ability to transfer records)
- Right to notification (ability to know key information about records)
- Right to correction (ability to change inaccurate information)
- Right to restriction (ability to limit the ways personal data is handled)
- Right to object (ability to stop certain processing based on personal concerns).
#4.) Check your current documents and mind the gap.
Many organizations move first to looking at their agreements with outside entities (both service providers and clients) to gear themselves toward compliance. The first step, though, should be to look at what you currently have instated in-house, as advised by Mark Ross in Compliance Week.
Your policies, procedures, and other elements of your compliance stance should all be reviewed, with any aspects that do not meet GDPR noted. Having looked inward, then you must look outward and verify that all of your vendors are GDPR-compliant as well. As you look at all your various systems and relationships, you are conducting a gap analysis. This analysis must check that there are data retention stipulations noting the maximum time for which data can be stored. You should also ensure that you know where and in what manner all data storage occurs, as organized within data maps.
#5.) Create a gameplan and determine applicable contracts.
Once your gap analysis is complete, you can start to look carefully at all your agreements. You should have a gameplan that organizes the way your contracts are drafted and amended over time. Write your GDPR amendment, bearing in mind that your firm may fit the definition of a controller and processor under the law. Be ready for companies not to always readily accept this additional language. You will lower your risk by preparing this clause and using it to negotiate.
Now look at your current agreements to identify ones that fit the scope. You can use a machine learning tool that assess contracts in order to find the provisions that should be targeted. To complete this process:
- Set aside any contracts that are inactive.
- Focus your attention first on agreements that represent the greatest risk.
- Review the contract to see if it is GDPR-compliant or not. If data is being sent outside the EU, the way in which that data is transferred will have to meet GDPR specifications.
#6.) Send amendments and store final agreements.
For any contracts that are not GDPR-compliant as-is, you need to get those agreements amended. The amendment process may take some initiative on your part since some organizations will not be as concerned with the GDPR or otherwise not as quick to act as others. Once you have determined what needs updated, send out amendments, and get these new contracts signed. Once you have the agreements finalized, you can store them in a structured data format according to their key terms, within a contract lifecycle management system (to simplify organization and referencing).
#7.) Look at your data breach notification procedures.
Notification of data breaches is a core component of regulations that protect personal data, as previously seen within HIPAA and other regulations. Any time that information you are holding or processing becomes compromised, the entity that becomes aware of the breach must send information related to the incident “without undue delay” and in a maximum of 72 hours to the Information Commissioner’s Officer (ICO). Verify that your environment will automatically notify you if a breach ever takes place. Also be certain that all your personnel know how to respond to a security event should one occur.
Are you concerned about the new parameters of the General Data Protection Regulation and how it specifically impacts your organization? We are happy to discuss how the needs of the GDPR can be integrated into your data documentation, systems, and partnerships. At Total Server Solutions, we provide everything you need for a GDPR-compliant system, with a 24/7 staff of engineers and full training for all our personnel. See how we’re different.