Readying your business for the EU’s General Data Protection Regulation

In 2016, the European Commission adopted the General Data Protection Regulation (GDPR) to strengthen and unify data protection for people within the EU – with the primary objective of giving citizens control of their personal data.

With GDPR set to take effect in 2018, I wanted to take some time to look at why the new regulation matters to businesses everywhere and the potential precedent it sets in terms of data ownership.    

According to the GDPR, “personal data” is any information relating to an individual, whether it relates to his or her private, professional or public life. Personal data can take any number of forms, including a name, a photo, an email address, bank account details, posts on social networking sites, medical information or a computer’s IP address. The GDPR also includes specific provisions addressing:

  • The right to be forgotten

  • “Clear and affirmative consent” to the processing of private data by the person concerned

  • The right of individuals to transfer their data to another service provider

  • The right of individuals to know when their data has been hacked

  • A requirement that privacy policies be explained in clear and understandable language

At this point you may be wondering why this matters to any business outside the EU. Well, the GDPR applies to the processing of personal data of subjects located in the EU, regardless of whether the company is located or uses equipment in the EU or not. In effect, any company that markets goods or services to EU residents can be considered subject to the GDPR.

In order to understand the goal of the GDPR, it is worth considering the circumstances which spurred its creation.

It is generally agreed that the consumerization of IT fundamentally altered the way that business is done. There has been a huge increase in the number of devices in the workplace, data is more and more accessible and available at any time and from anywhere, and advances in cloud technology have created a wealth of online data storage options for businesses of every size.    

As a first step, companies holding PII would be well-advised to perform a detailed analysis of their potential exposure. Assess current data processing and protection practices in your organization, and determine what needs to be done to ensure compliance when the GDPR comes into effect. Use the time available to budget accordingly for measures like personnel training on security measures, time and resources needed to ensure compliance, and perhaps the hiring of a data protection officer. Such measures will have an impact on the bottom line, so plan ahead.

From a communications perspective, the best rule of thumb is to be proactive: Never assume a breach won’t happen – in spite of your best efforts, it could. Starting today, make it clear to your customers and your business partners that you understand protecting PII and complying with privacy regulations are top priorities at your organization. Communicate the importance of compliance to your workforce, provide relevant training on a regular basis and strive to create a company culture in which data security is a vital, shared responsibility. Finally, make sure your organization’s incident response plan includes clear provisions detailing how you will respond publicly to a breach and how you will communicate mitigation measures to your customers. To have any hope of retaining the trust and loyalty of your customer base after a serious breach, timely, accurate and transparent communication is essential.

The GDPR signals a turning point in the information age, bringing much needed clarity to the once grey area of data ownership, security and responsibility. Businesses cannot afford to ignore its impact or put preparation on hold. The cost of delaying action could be high – both financially and in terms of reputation.