What is GDPR?
GDPR – which stands for General Data Protection Regulation – is an update to European data protection rules; it governs the collection, use, and protection of private information belonging to residents of the European Union (and to computer systems located in the EU). The primary objectives of GDPR – which was enacted in April of 2016 and goes into effect in May 2018 – is to provide Europeans with better control of their personal data, and to simplify privacy regulations throughout the region (by mandating standard privacy rules).
Didn’t Europe already have strict privacy laws?
Yes, but the new laws are much more robust and up to date – and are also regulations rather than directives.
GDPR replaces the data protection directive that went into effect in 1995 – with massive technological changes over the past 22 years, the old directive was, to put mildly, outdated. Besides revamping material from the directive, GDPR also introduces new rights – such as the right of people to know if their data was compromised; the new rules mandate notification in case of a data breach.
Why should American companies care about European law?
GDPR extends European data protection law to all foreign parties possessing protected data of EU residents. As a result, every individual, business, and government body that processes data belonging to EU residents can be exposed to fines (some quite large) and bad publicity if they do not conform to the new law’s requirements. Fines, for example, can be as high as 4% of revenue. (Time will tell how many firms that do not have a European presence actually adhere to the rules.)
What do I need to do now?
To get ready for GDPR:
- Decide on ownership – Businesses need to determine who within their organizations will be responsible GDPR compliance. It is possible that many organizations will assign this task to different types of teams; it is easy to see how folks in the legal department, human resources department, the compliance team, or the CISO’s organization could all own GDPR-compliance responsibility. In any case, however, the CISO should be actively involved – as many of the mechanisms of ensuring GDPR-mandated security will fall under his or her purview.
- Audit to see where things stand – determine what you need in order to comply with GDPR.
- See what you have already have that can be used, and acquire strategically – policies, processes, and technology that are already in place for information security purposes may also help with GDPR compliance. Remember, GDPR contains many broad rules – there is not just one specific type or brand of technology that is needed to comply.
- Start with high risk assets – In many situations GDPR compliance will not be achieved overnight – there will be time and money expended in order to properly comply with the new rules. As such, start with the internal systems that handle the most sensitive data from a GDPR perspective – human resource department technology infrastructure is a likely candidate for such.
- Obtain privacy and information security awareness training for all employees – Remember, humans are the weakest link in the security and privacy chain. To mitigate the risk created by people, train your employees, and utilize technology to address situations in which they make mistakes.
To learn more about GDPR, watch the free webinar, GDPR: What You Need To Know, from Microsoft Office’s Modern Workplace.
This post is sponsored by Microsoft Office.