Big news recently swept the privacy community, as the European Union has agreed to the text of the new reforms within the General Data Protection Regulation (GDPR). While the text of the law is broad and will apply to all companies across Europe, it’s not just organizations in the E.U. who need to be paying attention. Every organization, whether they are based in the country or not, must comply to the law if they are doing business with a European company or citizen. The ramifications of this are huge since, for example, the laws will apply to any e-commerce vendor who targets or sells to European customers in any way.
Even if you are not specifically doing business or established in Europe, the broad terms of the regulation mean that websites and cloud services developed by U.S.-based companies may be subject to the regulation merely because they are available to E.U.-based individuals. This is a significant change to the current law, which most courts generally agree only maintains jurisdiction over companies with an established business in a particular state. Complying with the laws will not be a small undertaking. It will require a major shift for many companies – even those that already have a privacy program. Because of this, waiting for the law to come into effect before doing any preparations will likely be too late.
Being late to the game can come with a significant cost: Fines can now cost as much as four percent of the organization’s global revenue.
To help you prepare your organization, here are five things CIOs should know about the GDPR:
1.) Privacy Impact Assessments are mandatory
Under the GDPR, all organizations doing business within the E.U. must perform privacy impact assessments (PIAs). For those unfamiliar, a PIA is an analysis of the ways in which personally identifiable information (PII) is collected, used, shared, and stored by an organization. Traditionally, conducting a PIA has largely been a manually intensive, paper-based process that takes a long time to carry out.
To make PIAs simpler and less prone to human error, we partnered with the International Association of Privacy Professionals (IAPP) to create the AvePoint Privacy Impact Assessment (APIA) system. APIA is designed to help you automate the process of evaluating, assessing, and reporting on the privacy implications across your organization. Even better? It’s absolutely free to download and available now through the IAPP.
2.) Privacy and security by design are now expected to be the default
Whereas privacy controls may have been brought into projects late in the game in the past, companies must now design, develop, and test new products with appropriate controls in place to ensure that PII data is appropriately protected. In addition, they will need to prove that they are doing so. Organizations will want to begin conducting PIAs at the earliest phase of a project and address privacy through all features and controls throughout the design and development process
3.) Data needs to be inventoried
The GDPR requires companies to create and maintain an inventory of their systems and data flows. It is important that organizations know what kind of PII data lives where in order to adequately protect it. With potentially unidentified data living across systems as vast as file shares, SharePoint, databases, the cloud, and social platforms like Yammer – many organizations will need to lean on technology solutions to discover, classify, and report on any sensitive data they hold.
4.) A risk-based approach to data protection is a must
Not all data is the same, which means not all has to be protected in the exact same way. Tying in with the need to inventory data, organizations will need to not only understand what kind of data they hold, but also determine what to do with it. Depending on the kind of data you find across your systems, you may need to move, delete, quarantine, redact, encrypt, or block it. The ability to do so swiftly and proactively – while proving that you’re doing it through regular audit reports – will be key in an organization’s ability to comply with the GDPR.
5.) Breach notifications are mandatory for EU companies
Not only will breaches carry larger fines once the GDPR is in place, but response activities – such as breach notifications issued to regulators (such as the Information Commissioner’s Office in the UK or Commission Nationale de l’Informatique et des Libertés (CNIL) in France) – must be given quickly. The company has 72 hours after a breach occurs to declare it to the authority.
In a time where data breaches make the news almost weekly and personal data is more of a commodity than ever, you can fully expect the GDPR to dominate the privacy conversation throughout 2016. Organizations will need to have both proactive and responsive data governance and protection measures in place to be ready.
Fortunately, our compliance solutions – including APIA and AvePoint Compliance Guardian – give you the operational tools you need to protect your data and define a clear policy that is both enforceable and measureable. To learn about how we can help you comply with the GDPR, visit our website for more information.
Join us at RSA Conference 2016 for more on the GDPR
Attending RSA Conference 2016 from February 29-March 4 in San Francisco, CA? Join AvePoint Chief Compliance and Risk Officer Dana Simberkoff for a panel entitled “Privacy, Security, IT and the new European General Protection Regulation” from 3:30pm-4:20pm on Tuesday, March 1 in room 2007. Dana will be joined by a panel of industry experts, including:
- Bojana Bellamy: President, Centre for Information Policy Leadership, Hunton & Williams LLP
- JoAnn Stonier: EVP, Chief Information Governance & Privacy Officer, Mastercard
- Michelle Dennedy: Chief Privacy Officer, Cisco
This session will explore:
- Methods to ensure IT, security, and privacy work better together
- Preparing your organization for the GDPR
- How to securely manage and share information
We hope to see you there!
