General Data Protection Regulation (GDPR) is coming. It’s a wide-ranging regulation that requires both heightened protection for personal data and thorough notification to any European Union (EU) data subject whose personal data is breached. This applies to living individuals on EU soil, both citizens and noncitizens alike.

The Clock Is Ticking for GDPR Compliance

A surprising number of organization leaders seem to be taking a wait-and-see approach to GPDR. They want to see just how the law’s provisions will be carried out in practice. That’s understandable, but it might not be wise. GDPR isn’t just a toothless suggestion. It’s a serious directive, and avoiding its penalties, which can range as high as 4 percent of an enterprise’s worldwide financial turnover, is going to be an important objective for any business that does business in the EU or with EU residents.

Read the Interactive Solution Brief: Ready, Set, GDPR

As of May 25, 2018, any enterprise that handles the personal data of EU residents will face stiff penalties for data handling practices that violate the new law. The wide scope of the regulation may come as a surprise to business leaders and IT professionals outside the EU, even ones accustomed to dealing with local or national regulations of their own. Of note is that where the data resides is irrelevant — what’s important is that it belongs to an EU data subject, even if the data itself is stored elsewhere. This seems understandable enough, though some businesses worldwide are either unaware or only dimly aware of the upcoming regulation.

Until the new regulation takes full effect in May 2018, organizations are expected to make the preparations they need to meet the set forth demands. During this period, you should pay special attention to the preparations companies similar to yours are making for GDPR compliance. This can help you avoid being blindsided by enforcement actions.

Name, Rank and Serial Number? Not By a Long Shot

Under GDPR, personal information that your company might routinely collect, such as customer demographics, requires intense care if it can personally identify an individual. Preparation for GDPR compliance means, first of all, an enterprisewide assessment of the kind of data your organization collects or holds. You’ll need to identify personal data or — perhaps the most efficient course — treat all personal data with the same heightened level of protection. The simplest course may well be to delete nonessential personal records entirely. Remember, the high price of noncompliance can turn unprotected personal records into toxic assets.

Under GDPR, enterprises will need to carefully steward any information that could be used to identify a covered individual, including information such as:

  • Name;
  • Unique identifiers, such as social insurance account numbers;
  • Location data that can be used to pinpoint an individual;
  • Email address and other contact information; and
  • Characteristics specific to the individual, such as political opinions, religion, physical details, and special categories of data such as genetic and biometric information.

Organizations will also be expected to comply with requests to erase data belonging to individuals who do not wish for it to be held. This provision is officially known as the right to erasure (sometimes more colloquially called the right to be forgotten).

Why GDPR Preparation Isn’t Just a Day at the Park

Preparing for GDPR compliance will take time, because GDPR calls for accountability as well as compliance.

In fact, one of the most challenging elements of meeting GDPR’s requirements is one of record keeping. Companies will not only have to appropriately classify and protect  personal information, but they will also have to document their compliance with the regulation. They’ll need careful record keeping so they can meet the requirement to notify affected data subjects in the event of a breach. GDPR also requires that you maintain and enforce internal data policies — time frames for data retention, for example — and these should be articulated for all stakeholders.

Equally challenging for many organizations will be the adjustments they will need to make to their internal structure to meet GDPR mandates. Both personnel and practices will be affected. GDPR compliance, for example, may call for enterprises to designate a data protection officer to represent the interest of data holders in certain circumstances, such as where required by member state law or when processing special categories of data on a large scale.

What Should You Be Doing?

Best practices can be hard to describe in depth when they concern a regulation that’s not yet in full effect. But GDPR is concrete enough that some steps are easier to identify, for example:

  • Work together. Make sure every part of your organization — from legal to accounting to sales to customer service — is aware of the implications of GDPR and operates with the common goal of meeting its requirements.
  • Assess the impact. Survey all data you hold (from customers, employees or other individuals) for all the kinds of identifiers the law affects, and make protecting them a priority. This also includes business contacts, not just consumers.
  • Plan judicious data use and collection. Identify, as closely as you can, what data will be necessary for new and ongoing projects, and use the least amount of personal data possible. At the same time, test your procedures for meeting individuals’ requests for data access or erasure. Frugal use of data will help you avoid challenges to your data practices and help reduce the risk of a breach.
  • Create a notification plan. In the event of a breach, the ability to contact the supervisory authority within 72 hours and notify affected data subjects is critical. If you don’t report the breach or can’t reach the data subjects, you may face fines and other penalties, even when the breach is no fault of your own.

As wide-sweeping as it is, GDPR is ultimately a regulation that can be tackled like any other. We think the single best thing you can be doing about GDPR compliance is setting yourself and your team in motion rather than sitting on the sidelines.

Read the Interactive Solution Brief: Ready, Set, GDPR

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…