EXPERT SPEA
T
he General Data Protection
Regulation (GDPR) is a new law
designed to unify and normalise
the data protection framework within the
European Union (EU). It comes into effect
on 25 May 2018 and replaces the current
data protection directive (Directive
95/46/EC). GDPR sets rules on how data
should be stored, secured and accessed.
It affects not only EU companies but any
company that provides goods or services to
EU residents, or tracks their online habits.
The heavy penalties and fines for non-
compliance are specifically designed to
get C-suite attention. The numbers make
it clear that the EU is taking data privacy
more seriously than ever before. Repeated
non-compliance will result in fines of
up to EUR20 million, or as much as 4
per cent of the total worldwide annual
turnover of the preceding financial year,
whichever is higher.
With just under a year until GDPR
becomes law, there is plenty for companies
to think about. Here are five things you can
do to be ready by 25 May 2018.
1. Find out if and how it applies
to you
Does GDPR apply to you? The more your
company deals with Europe, the more
likely it is that you will be under scrutiny;
at least initially. Document what you have
done to establish your need for compliance.
If you feel GDPR does not apply to you,
state why and log your findings with your
company’s data compliance officer, or
their equivalent. Similarly, if you feel you
do need to comply, document why and
start taking action to comply. If you are in
doubt, seek outside advice. For an issue
such as this, inaction will certainly lead to
the worst possible outcome.
2. Audit your data
Gartner estimates that 80 per cent of an
enterprise’s data is in unstructured form.
Unstructured often means unknown
or insecure. No wonder Data Discover
exercises take so long to complete, if they
are completed at all. Often, companies
don’t even know of what that data consists.
Establish how old data is and if it’s over a
certain age, examine whether you really
need it. Once you have a better idea of
what you have and how much of it there is,
you can begin to formulate guidelines on
what to keep and what to purge, along with
strict rules on how to log and structure new
data as it is created.
Few companies currently have formal
criteria for deciding whether or not data
should be kept (and for how long) or
discarded. GDPR states data can be kept
only if still being used for the purpose
stated at the time it was collected. If it’s no
longer being used for that purpose, it must
be deleted.
3. Evaluate existing capabilities
Understand what specific controls you
have in place in relation to personal
data. For example, who can access it and
for what purpose? Once you know what
controls you already have in place, you
can begin to work out what other controls
The numbers
make it clear
that the EU is
taking data
privacy more
seriously than
ever before.
Repeated non-
compliance
will result in
fines of up to
EUR20 million,
or as much as 4
per cent of the
total worldwide
annual turnover.
are needed and can begin to calculate
the level of investment needed to achieve
that compliance. Remember that not all
the controls you need are of a technical
nature. Processes and procedures related
to the handling of data will have to be
documented and clearly communicated to
the people handling that data. People are
the most vital – and the weakest – link in
achieving GDPR compliance.
4. Prioritise
Once you have an idea of how to achieve
GDPR compliance, prioritise. Can
solutions relating to process and procedure
be implemented more quickly than
technical solutions? Ensure third parties
with whom you share data are briefed
immediately on their responsibilities
under GDPR. If it’s taking time for your
organisation to establish a detailed data
policy, impose interim guidelines.
Under GDPR, individuals will be able to
claim ‘the right to be forgotten’, meaning all
data relating to the person must be deleted
at their request and possibly handed over
to the person prior to deletion. Make the
ability to do this a priority.
5. Control what third parties can
do with data
If you pass any information that comes
under GDPR on to a third party, and
they are deemed to have misused it,
you become liable for that misuse. You
should brief third parties on the law and
its responsibilities. Go further and utilise
technological solutions. With enterprise
digital rights management (EDRM), you
can precisely specify who can view, edit,
copy, screen capture and share files, as
well as which devices a document can be
viewed on and for how long. An audit trail
is created that clarifies who has accessed a
document and when. File access and usage
permissions can be quickly revoked at any
time from anywhere.
The focus of GDPR is to ensure that data
remains private, secure and monitored at
all times. With the right combination of
tools and technology in place, organisations
can achieve compliance and avoid the risk
of heavy fines.
53