What if an auditor walked up to your company next week and demanded evidence that you are compliant with General Data Protection Regulation (GDPR) rules? How would you respond?
That scenario may well occur at companies in Europe and beyond starting in 2018. Computer Weekly, a U.K. technology publication, estimates that U.K. companies may face penalties greater than £100 billion in 2018. Presumably, U.K. companies already have some experience meeting EU expectations for security and privacy. If your company is new to the European market, the losses could be worse.
What Is General Data Protection Regulation?
The GDPR framework is a European Union attempt to simplify data privacy laws across Europe. Even though the law was approved in April 2016, companies have some breathing room to understand the new changes. The EU plans to begin enforcing the law in May 2018. If your company is non-compliant then, you are likely to face fines. GDPR includes the authority to impose significant fines that could easily stretch into the millions.
Steps to Fast-Track Your GDPR Compliance
While we cannot provide legal advice, we can equip you with the key principles and ideas you need to know to get ready. Once you understand these concepts, you will know the right questions to ask to prepare.
1) Carry out a data audit on your current capabilities.
Before you can improve, you need to understand your organization’s capabilities. For instance, do you have a comprehensive inventory of data assets? If you have the internal resources, create a joint task force of IT and internal audit leaders to carry out this assessment. If the preliminary findings indicate you have serious gaps, consider engaging an outside expert to provide additional advice.
2) How quickly can you detect and report on data breaches?
The days of keeping data breaches quiet for weeks or months while you assess the damage are over. According to consulting firm PwC, “The data controller must notify the supervisory authority without undue delay (and certainly within 72 hours of becoming aware of a breach).” This reporting requirement is a significant change from prior European rules that did not impose that type of reporting requirement.
3) Evaluate your employee training program.
Years ago, records management specialists and IT techs held responsibility for records and privacy issues. That approach is no longer going to work. As law firm Gowling points out, article 5 of GDPR requires employee training activities. Further, you also need to keep records on the completion of this training. To maximize the effectiveness of your training, consider using gamification to increase employee engagement.
Tip: Add GDPR training activities to your new employee onboarding program to ensure there are no gaps as you add new staff to the organization.
4) Do you have GDPR templates to use?
Nobody wakes up in the morning looking forward to regulatory compliance activities. As a result, you can ease the pain on employees by providing GDPR-compliant templates. Store these documents on your company’s intranet site where they can be easily accessible. Start by creating a template for privacy notices. Notifying a customer regarding a potential privacy mistake is a serious matter where you can ill afford to make mistakes. Fundamentally, think of these templates as checklists. As Atul Gawande shows in his book, “The Checklist Manifesto,” checklists are one of the best ways to save lives and reduce errors.
5) Review your supplier and vendor contracts.
Outsourcing a function to a supplier does not eliminate your General Data Protection Regulation responsibilities. For instance, you may rely on a supplier to create and distribute monthly account statements to your customers. If that supplier mishandles customer data by sending John’s statement to Jane, that is a problem for both the supplier and you. To mitigate this risk exposure, start reviewing your existing supplier contracts for GDPR compliance.
Risk tip: If your organization has a large number of supplier contracts, reviewing all of them may be daunting. In that case, focus your efforts on the suppliers who have the largest volume of customer data. Once those supplier contracts are reviewed, you can move on to other contracts.
6) Identify security and privacy automation opportunities.
Keeping up with changes in the regulatory environment is tough. What if your senior management is tired of hiring additional staff to address these risks? In that situation, you have a few options. As a manager, you may decide to push your current staff to work harder, but that is not a sustainable approach. Adding compliance automation tools like Avatier’s Compliance Auditor is a better way to improve your productivity.
GDPR Compliance Further Reading
To continue developing your GDPR compliance program, explore these resources. In the long term, it will be far cheaper to invest a few hours of effort in compliance preparation now than suffer large penalties in the future.
Warwick Ashford. “UK firms could face £122bn in data breach fines in 2018” Computer Weekly, Oct 16 2016
David Cook, Data breach notification and the GDPR, PwC