GDPR: General Data Protection Regulation
GDPR - General Data Protection Regulation - is in the news. Personal data protection in Europe is nothing new. With the new GDPR regulation, the European Commission, European Parliament and the Council for the European Union have set out to strengthen and unify legal protection of people’s personally identifiable information (PII). The new GDPR also addresses the export of personal data outside the EU. The GDPR aims to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business, by unifying the regulation within the EU. The GDPR takes effect May 25, 2018, after a two-year transition period.
Steps towards compliance
Plan the GDPR compliance process — It is important to define the process an organization will follow to reach full compliance. Not only does it set down internal goals, it demonstrates to local Data Protection Associations (DPA), responsible for enforcing GDPR in each country, that your organization is serious about compliance.
Allocate resources to achieve compliance — An organization has to allocate the necessary resources to ensure compliance. Put someone in charge and provide ample resources to achieve goals set by management.
Understand the legal framework — Making sure that those charged with bringing your organization in line with new GDPR regulations understand the legal requirements is essential. Bring in outside legal counsel to look over the process if you feel your organization does not possess the required expertise to evaluate the changes needed to fully comply.
Identify the operational skills needed — As with any successful project, it is imperative that the process to achieve compliance identify the key operational steps required and that the right people are assigned to the project. Tasking the right people with reaching compliance is the basis for success.
Analyze your data — Personally identifiable information (PII) must be identified. It is, after all, what the GDPR is all about. What PII is your organization handling? Is it necessary to your organization? Is storing it necessary?
Protect PII — Evaluate protection strategies ensuring proper encryption and access guidelines are in place. If anonymizing all or part of the data, ensure the process can’t be reversed.
The GDPR takes effect on May 25, 2018. Organizations must not only achieve compliance by this date, but also ensure they have measures in place to remain compliant afterwards. Having a data protection strategy in place and making sure it’s always current are essential to avoid non-compliance issues and, in the case of a breach, an eroded brand and reputational value.
Have questions regarding the looming GDPR regulation taking effect May 25, 2018, get in touch. Contact us