In May, the European Union (EU) will begin enforcing the most stringent regulations to date on how EU citizens’ personal data is lawfully collected, processed and stored. The European Union General Data Protection Regulation (GDPR) is a sweeping data protection law that not only affects European businesses but all organizations handling the personal data of EU citizens. Moving forward, if a data breach is the result of noncompliance, companies will face unprecedented fines of up to €20 million (about $24.5 million) or 4% of global annual revenue for the previous financial year, whichever is higher. Essentially, if you want to conduct business in Europe, you’d better comply.
In lieu of massive data thefts frequently headlining global news and thousands more the public never hears about, the GDPR is expected to set a new benchmark for consumer data rights by holding companies (of any size) more accountable. This new level of compliance is sure to put added strain on internal security teams already struggling to keep pace with the ever-evolving criminal underworld that’s making hefty profits selling stolen personal data. Under GDPR, security teams will now be responsible for guarding all information that can link back to an individual, even IP addresses and web cookies.
We are only a few short months away from GDPR enforcement, and companies are likely scrambling to incorporate necessary systems and processes to comply. For those lying awake at night grappling with undue anxiety about the challenges ahead, it’s not too late.
Here are three critical steps for successfully navigating GDPR:
Understand GDPR And Its Requirements
This may seem obvious, but you can’t possibly solve a problem without first understanding what that problem is and the potential impacts. GDPR is by no means a lightweight regulation. There are 99 articles in the table of contents, and some articles may apply to your business and/or industry more than others. What’s more, if you don’t have someone internal versed in the language of regulations, reading through requirements can quickly become dizzying. You wouldn’t let your IT manager act as your representing counsel in court — it’s the same principal with regulations.
Hire or consult with compliance experts who can interpret critical elements you must know, such as Article 33, which states that in the event of a serious breach, companies may have to notify both EU authorities and any citizen affected within 72 hours of the breach being discovered. Claiming ignorance won’t save you when fines are handed down. At the very least, set up a consultative session to understand the full scope of GDPR.
Assess Your Risk