The European Parliament has set May 25, 2018 as the enforcement date for the Europe-wide GDPR new data protection regulation.
Many organisations have a considerable amount to work ahead of them to align their IT governance and data protection programs with both regulatory and customer demands, said Pat Clawson, CEO of the Blancco Technology Group, adding: “Negotiations stretched on for the last four years but now that the EU GDPR is a reality there will be many having to scramble to get their act together and prepare for these stringent new data protection rules.
My advice to them would be to start planning now and to treat the Regulation as a starting point rather than the finishing post. Going the extra mile to show you value your customers’ data simply makes good business sense. But when that trust is eroded, we’re talking about more than just immediate losses; we’re talking about the long-term impact on sales, reputational damage that can be really tough to recapture and even employee turnover. The legislation affects every organisation that offers services inside the EU and with potential fines of up to 4 per cent of global turnover this may well be the shot in the arm we need to firmly establish the protection of corporate and customer data as an issue that is regularly evaluated in the boardroom.”
Earlier, the European Parliament published the General Data Protection Regulation (GDPR) in the Official Journal of the European Union – meaning that this new legislation will formally become law in 20 days. Christine Andrews, managing director of data governance, audit and consultancy firm DQM GRC, writes of what companies can do to start preparing for this new regulation.
“Keep Calm and Carry On” seems a fitting theme for the finally-published regulation; however, this is only the case if you’re one of the organisations already valuing customers’ data.
Unfortunately, for too long, some organisations have “presumed” consent, worked with “implied” permission, experienced data losses which have taken months to detect and report (remember Sony and Target?) and, in some cases such as TalkTalk, have been unable to properly classify which personal data has been compromised. No CEO wants to look as ill-informed as poor Dido Harding, and customers have an absolute right to expect better. So what can organisations do to start preparing for this new legislation?
Firstly, organisations need to evaluate the personal data they have; categorising the data so they are clear where the personal and sensitive data resides and where other less important data sits in the company. Usually, drafting a data flow map will help businesses to understand the pattern of data through the company, provide clarity on who has “eyes on” the data, what skills these people have and, finally, highlight where the data ends up.
Once organisations understand just what personal data they have they should then ensure that regular risk assessments are completed in order to understand the degree of threat imposed on the company when processing data. Indeed, the GDPR demands a “risk-based approach” with the development of appropriate controls. This should, in a single stroke, ensure that management recognise the dangers associated with the loss, misuse, theft or any other compromise of customer data.
For organisations that pass data onto third parties, there is often a tendency to presume that they must operate to high standards of data security and protection. However, the GDPR now states that controllers must only engage with processors who can provide “sufficient guarantees”. Basically, as the data owner, you must check they have effective “technical and organisational measures to ensure the security of the processing”.
There is now also an essential need for organisations to prepare a breach notification plan in the event that something does actually go wrong. If you’re already clear on what type of personal data you manage (categorisation) and where it is (data flows), then this process will be somewhat easier. However, it’s worth being clear on who will co-ordinate the customer communication, the media response and the remedial activity – and make sure you rehearse this so you are practiced in the actual event; consider it a data breach fire drill.
So for today, organisations should absolutely “Keep Calm and Carry On” – whilst the GDPR will officially become law in 20 days’ time, organisations do have a two-year deadline to become compliment with the new legislation. However, it is vital to remember that two years can pass very quickly, and for many a significant amount of time and financial investment will be required.
