365 Days To Go For GDPR – How Ready Are You?

Part of my work at Jetico involves getting the company ready for General Data Protection Regulation (GDPR) compliance. The deadline of May 25, 2018 is fast approaching. With only 365 days to go, it's now time to get serious about data protection and comply.

If you haven't looked at the new regulations (or you have and you're pulling your hair out), this blog is for you. First, know that you're not alone - a recent study shows that over half of the organizations affected by the new law have not begun to make a move on GDPR compliance. Second, know that it's not all that bad! Like many official tasks, there is a process to becoming compliant. Just take it one step at a time and you are sure to avoid losing any more hair.

 

GDPR in a nutshell

  • What?
    Let’s start by looking at what the General Data Protection Regulation is and what it isn't. The European Commission defines the Regulation as "an essential step to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market." This translates into several changes and additions to current laws surrounding an individual's data, including the Right to be Forgotten and easier access to one's data.
  • When?
    Although the regulations have been in place since May 24, 2016, affected organizations have until May 25, 2018 to become compliant. The two-year time to comply is good news, although the time is fast approaching when enforcement of the GDPR will begin.
  • Who?
    If your company handles any European personal data, whether you're inside or outside of the European Union, you are subject to the General Data Protection Regulation. No matter your…
    - Industry
    - Company size
    - Location
    The wording of the regulation is such that if you process data and offer goods or services to members of the EU then you must comply with the GDPR.

 

Costs of non-compliance could be devastating
For organizations, the new rules will be enforced with a strong arm. If a company chooses to forego compliance, for whatever reason, they can be fined up to 4% of their global annual turnover. Here is a summary:

For offenses related to:
- Child consent
- Transparency of information and communication
- Data processing, security, storage, breach, breach notification
- Transfers related to appropriate safeguards and binding corporate rules
Fine = €10 000 000 EUR or 2% Global Turnover

For offenses related to:
- Data processing
- Consent
- Data subject rights
- Non-compliance with DPR order
- Transfer of data to third party
Fine = €20 000 000 EUR or 4% of Global Turnover

 

The penalty will be whichever number is greater, either the flat fine or the percentage of global turnover.

 

That's a lot of revenue gone for no reason. In fact, according to Capgemini Consulting's Digital Transformation Institute, European companies could face around €141 billion EUR ($151 billion USD) in total fines.

 

Get ready for GDPR
Preparing for compliance may look daunting at first glance, but there are ways to reduce the pain.

  • Understand where your data lives
    It's your responsibility to know where your data is, even if you outsource data storage to a cloud provider. Request the details from your provider, and use transparency as a metric of quality.
  • Get organized
    After determining where your data resides, it's crucial to get (and stay) organized. Start by creating an inventory – sort data by importance to your company and by level of risk.
  • Put someone in charge of data protection
    Certain addendums to the General Data Protection Regulation require that some companies appoint a Data Protection Officer. As an organization, you may already have a position like this. But if not, it's a great idea to appoint someone to that role. It sends a message that you take your consumers' data seriously enough to have someone responsible for it. Not only will your consumers get that message, but so will compliance officers when it comes time for an audit.
  • Write up a contingency plan, in the event of a worst-case scenario
    Downtime may not be an option for your organization. So consider costs and pencil in a detailed plan of what you'll do if the hammer comes down hard.
  • As a failsafe, consider disk encryption software
    The GDPR allows for encryption of data to exempt a company from breach notification responsibilities. For example, if a laptop is lost or stolen, but the data is encrypted, then you would not need to report a breach. Because the data is not understandable by anyone not authorized to use it, you can minimize third-party risks this way.

Don't let the GDPR sneak up on you. Employ the old scout adage, "be prepared", and you'll be glad you took the extra time and effort.

 

GDPR Encryption by BestCrypt from Jetico

Jetico provides pure and simple file and disk encryption software for National Security, Compliance and Personal Privacy. Already trusted for HIPAA compliance, Jetico's BestCrypt delivers GDPR encryption for peace of mind.

 

Get started now!
Request a free trial
Contact us for a free consultation

 

About the Author

Michael Waksman has been leading the growth of Finnish data protection software developer Jetico since 2008, creating the company's corporate identity, raising global brand awareness, building a more commercially-driven team and initiating enterprise customer relations primarily focused on Jetico's wide user base throughout the U.S. Defense community and the growing compliance market. Mr. Waksman is vice-chairman of the Cyber Group in AFDA, the Association of Finnish Defense and Aerospace Industries. Recognized as a security and privacy advocate, Mr. Waksman contributes an annual blog for Data Privacy Day and National Cyber Security Awareness Month. He is a frequent speaker at international events, occasionally on behalf of the Finnish cyber security industry. A dual citizen of both the United States and Finland, he is a native New Yorker, but has been living in Helsinki for over 10 years. In 2012, Mr. Waksman was honored with The Security Network's Chairman's Award for fostering collaboration between the United States and Finland.

 

 

Give us feedback