The deadline for GDPR compliance has come and gone. If you didn’t prepare for it, then you need to act, and quickly – read on to find out how.
After a lot of discussions and numerous warnings, the General Data Protection Regulation (GDPR) is finally here. This law applies to organizations that conduct business in Europe to ensure the protection of confidential data for citizens in the European Union (EU). This is true for companies no matter where they operate.
If you do business with EU citizens, you must comply with the GDPR, which means that almost every major corporation and media group in the world is affected. Here’s the problem though – the enforcement date for the new GDPR was May 25th, 2018.
U.S. businesses often fail to plan ahead and, instead, operate in a reactionary mode – this is no exception. Despite the buzz that the GDPR has been stirring up in the industry in the months leading up the enforcement date, there are still many businesses that aren’t compliant.
Key considerations involving the GDPR include:
- Businesses must provide the same high-level protection for people’s IP addresses, and cookie data for names, addresses and government identification information like National Insurance Numbers. (Cookie data is a text file that a Web browser stores on a user’s computer.)
- The conditions for consent are now more stringent. Companies can no longer use long terms and conditions in legalese. Consent must be provided in an easy-to-understand format, and in plain language.
- If a breach does occur, breach notification must be completed within 72 hours of first having become aware of it. Businesses must notify their customers, controllers, and authorities without delay.
“The mandatory 72-hour GDPR breach-notification period has security professionals at Amnet [concerned] because most businesses aren’t prepared,” said Trevor Dierdorff, Amnet founder, and CEO, to the Colorado Springs Business Journal. “The United States doesn’t have a national data-breach notification requirement. However, most states do require notification within 30 to 45 days. Colorado’s requirement is less specific…”
Why You Need To Act Fast
The bottom line – businesses that fail to comply could be fined 4% of their global revenue, up to $20 million. Plus, the consumers whose data is breached can file class-action suits against them for noncompliance.
Regulators in the European Union will likely impose the largest fines they can and that they’ll make an example of organizations that lack compliance–and will do so within the first 90 days of the breach. This is similar to how the U.S. Health and Human Services/Office of Civil Rights handle the same situation, with their “Wall of Shame” and HIPAA non-compliance cases.
How Can You Catch Up With GDPR Compliance Right Now?
The following are steps your organization should take to prepare your technology for the GDPR.
- Perform a thorough inventory of your personally identifiable information, where it’s stored–in onsite storage or in the cloud. And determine in what geographical locations it’s housed. Don’t forget about your databases. PII is often stored in databases.
- Undergo a Gap Analysis. This is a process where you compare your organization’s IT performance to the expected requirements. It helps you understand if your technology and other resources are operating effectively. By doing this, your provider of managed IT services can then create an action plan to fill in the gaps. The right partner in IT will understand the GDPR regulations and how your IT must support your compliance efforts.
- Create an Action Plan. Your partner in IT services should document a detailed action plan for how to use technology to meet the GDPR if you experience a data breach. This should include individuals’ roles and responsibilities. Conduct tabletop exercises to practice how the plan will work with specific timelines and milestones.
- Double check your data privacy standards. If you don’t have a Technology Solution Provider, then you need one for this. Data protection is key for any size of an organization. Consumers have the right to have their data erased if they want. This is called “the right to be forgotten.” This is a concept that has was put into practice in the European Union in 2006, and it’s a part of the GDPR. You won’t be able to do this if their data is stolen.
- Be sure to document and monitor everything that you do that’s related to GDPR Compliance. This includes any changes or upgrades that your Managed Services Provider makes to your IT environment. You may need to demonstrate that you’ve done your due diligence when it comes to protecting citizens’ private information and that you practice “defense-in-depth” strategies where you use multiple layers of security controls when it comes to your technology.
“Smaller businesses with no presence in Europe may not need to be concerned with GDPR compliance,” Dierdorff told the Colorado Springs Business Journal. “However, an increased focus on cybersecurity is a must regardless of your size. Breaches of your business data can be devastating. Most small and mid-sized businesses in our region are more vulnerable than they realize.”
For more information about the GDPR and how to get compliant quickly, get in touch with the Amnet team of security professionals at (719) 442-6683 or firstname.lastname@example.org.