GDPR or General Data Protection Regulation, establishes strict rules to protect customer data within the EU and it regulates the exportation of personal data outside the EU.
It is a must for any company, individual, corporation, charity, or non-profit offering goods or services, or monitoring behaviors of individuals, within the 28 EU member states.
Here are some of the challenges your business will face and how you can overcome them.
Broader Definition of PII
In response to consumer concerns regarding data security, GDPR rules include a broader definition of what constitutes Personally Identifiable Information, or PII.
Companies routinely encrypt items such as customer name, address, email address, and ID numbers. However, GDPR requires the same level of protection for items such as cookie data, IP address, RFID tags, and health, biometric, genetic, racial, and sexual orientation data.
The GDPR governing body reviews companies to ensure they provide a “reasonable” level of protection. Companies must not store data longer than necessary and only when an individual consents. They must also erase personal data upon request. Obviously, this has a tremendous impact on how businesses handle data.
Data Protection Crucial to Success
The EU’s stringent rules should be a wakeup call for business. Data protection has increasingly become a concern everywhere and companies should expect to see more of it in the future. Business needs to improve security measures to remain competitive within the global market.
Consumers are more aware of their rights and they expect more transparency and responsiveness from the business. According to 2019, RSA Data Privacy & Security Report consumers blame companies over hackers in the event of a data breach. Additionally, company employees don’t hold themselves responsible if they lose confidential information on the job.
Clearly, the processes, procedures, and mindset surrounding PPI have to change. This requires a significant investment and ongoing administration. However, providing adequate data security offers a competitive advantage. It boosts consumer confidence and improves technical and process efficiencies for a more resilient business.
Organizations that fail to comply with the GDPR risk severe penalties, including fines of up to $20 million or 4 percent of annual revenue, whichever is higher. Unfortunately, any business can fall victim to reputational and financial exposure due to a lack of knowledge, expertise or technology.
DLA Piper survey data found about 60,000 breaches were reported to EU authorities from the inception of GDPR to January 2019. Regulators issued 91 fines of about $398 million. The largest were $125 million against Marriott International for data breach and 50 million euros against Google for processing personal information without obtaining proper permissions.
Fortunately, fines are usually a last resort. Organizations that choose to implement effective measures, self-report, and engage with authorities demonstrate wise business acumen.
Increased GDPR Liability
GDPR places equal liability on organizations that own data and third-party data processors. As a result, if your third-party processor is not in compliance, your business isn’t either.
All existing contracts with third-party processors must define obligations and responsibilities regarding data management and protection and how to report data breaches.
Companies need a single point of contact to meet the 72-hour breach reporting window. They also need the policies, procedures, and a response structure to deal with the implications of these events as quickly as possible.
As a result, contracts have increased in importance. Businesses that do not use them can’t demonstrate to regulators they’ve taken “reasonable measures” to protect data.
Towards GDPR Compliance
First and foremost, confirm your organization needs to comply with the GDPR. If “processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment,” you are subject to the GDPR.
If your business is subject to the GDPR, change always starts at the top. Management must stress the importance of data protection so employees take the issue seriously.
Involve All Stakeholders
GDPR compliance goes far beyond IT. It must include any aspect of business that deals with PII. This includes marketing, finance, sales, and operations if they collect, analyze, or use customer PII.
Tell Customers Why
Assess Data Processing Activities
An assessment identifies what data your company stores, its vulnerabilities and measures needed to mitigate these risks. This includes creating an inventory of all applications that process PII within your company, including mobile.
Implement Data Security Practices
Once you’ve identified risks, it’s time to put measures in place to protect data. Organizations must complete the Record of Processing Activities (RoPA) to track their progress.
Vendor Data Processing Agreements
It is essential your company has data processing agreements with all vendors to reduce risk. It establishes the rights and responsibilities of each party and should include any subcontractor handling personal data.
Designate a Data Protection Officer
GDPR regulations require many organizations designate a DPO who protects PII without a conflict of interest. Your company may need to hire a person outside of your organization, but the position need not be full-time or in-person. Virtual DPOs are consultants who work on behalf of your business.
Designate an EU Representative
Some organizations may also need to appoint a representative based in one of the EU member states.
Ask for Help
This article only touches on the GDPR’s expansive requirements and they vary greatly between companies. Small organizations may not have the resources or the knowledge needed to meet requirements on their own. Fortunately, advice is available, regardless of business size. Let Blueback Global provide you with accurate advice to minimize the impact on your business while you work towards GDPR compliance. Contact us for a free consultation and get the advice you need if you collect or use data on EU citizens.