As cyber crime rises globally, the European Union has decided to revise its data protection laws and introduce a unified model for everyone who processes customer data.
Those revisions take effect May 25th, 2018 under the General Data Protection Regulation, or GDPR.
The Regulation says that any organization handling “personally identifiable information” of any EU citizen must comply with new and improved data protection norms by May of next year.
According to a survey by SAS, awareness in government organizations is the lowest of any sector: only 26% of government organizations are aware of the impact of GDPR.
Privately held companies aren’t much better off. Most global organizations either lack a structured plan for compliance or they don’t fully know the consequences of not complying with the Regulation.
Companies found noncompliant may have to pay penalties of 4 percent of their annual revenue, or up to 20 million euros, whichever is higher.
Analysts estimate that last year’s fines would be 79 times higher under the new regulation. Studies indicate global organizations are entering murky waters. With only a few months to go, it’s high time everyone knew what they are up against.
Today, we’re going to look at five important steps that pave the way for GDPR compliance.
#1 Find out if the GDPR affects you
If your organization processes customer data – with full power over how that data is stored, managed and moved around – you are essentially a data controller. This means you must comply with GDPR rules and regulations. Now! it’s important to develop and implement a data governance plan.
#2 Appoint a Data Protection Officer
Companies can pick a DPO from within their ranks, or they can outsource the role. This officer must act as a point-of-contact for authorities monitoring compliance.
#3 International data transfer
Special precautions are needed when personal data is transferred to countries outside the European Economic Area that do not provide the same standard of data protection as the EU.
Your organization needs to carefully consider the appropriate mechanism for each country to ensure compliance with the GDPR.
Remember that not every European country is an EU member state, so different levels of data protection may be required for different countries. And even if your business is not in the EU, you may still have to comply with the Regulation.
#4 Demonstrate accountability
To be compliant with the GDPR, you must prove that you can and will protect customer data. This can include:
- creating new data protection policies
- making data protection impact assessments
- issuing documents on how data is processed
- obtaining clear and express consent (or consent withdrawal) from your customers
- and more
Speaking of customers…
#5 Be prepared for customers exercising their rights
Under the GDPR, data subjects can invoke the “The Right To Be Forgotten.” This means EU citizens can have their personal data deleted from any records, upon request.
Your customers are also entitled to the right to receive a “Data Portability Notice” under the Regulation.
Data requests for personal information will be made free-of-charge.
Finally, you have to be fully prepared to handle a data breach, or your customers might sue you out of business.
According to UK information commissioner Elizabeth Denham, the new regulation is only a “step change” for organizations that already comply with existing data protection laws. But if recent studies are any indication, many organizations processing large pools of data are nowhere near compliant yet.
Bitdefender and its competitors are making it their job to educate global companies to help them comply by May 2018.
For more information on GDPR, visit businessinsights.bitdefender.com.
This is a Security Bloggers Network syndicated blog post authored by Filip Truta. Read the original post at: HOTforSecurity