General Data Protection Regulation (GDPR) is coming. It’s a wide-ranging regulation that requires both heightened protection for personal data and thorough notification to any European Union (EU) data subject whose personal data is breached. This applies to living individuals on EU soil, both citizens and noncitizens alike.
The Clock Is Ticking for GDPR Compliance
A surprising number of organization leaders seem to be taking a wait-and-see approach to GPDR. They want to see just how the law’s provisions will be carried out in practice. That’s understandable, but it might not be wise. GDPR isn’t just a toothless suggestion. It’s a serious directive, and avoiding its penalties, which can range as high as 4 percent of an enterprise’s worldwide financial turnover, is going to be an important objective for any business that does business in the EU or with EU residents.
As of May 25, 2018, any enterprise that handles the personal data of EU residents will face stiff penalties for data handling practices that violate the new law. The wide scope of the regulation may come as a surprise to business leaders and IT professionals outside the EU, even ones accustomed to dealing with local or national regulations of their own. Of note is that where the data resides is irrelevant — what’s important is that it belongs to an EU data subject, even if the data itself is stored elsewhere. This seems understandable enough, though some businesses worldwide are either unaware or only dimly aware of the upcoming regulation.
Until the new regulation takes full effect in May 2018, organizations are expected to make the preparations they need to meet the set forth demands. During this period, you should pay special attention to the preparations companies similar to yours are making for GDPR compliance. This can help you avoid being blindsided by enforcement actions.
Name, Rank and Serial Number? Not By a Long Shot
Under GDPR, personal information that your company might routinely collect, such as customer demographics, requires intense care if it can personally identify an individual. Preparation for GDPR compliance means, first of all, an enterprisewide assessment of the kind of data your organization collects or holds. You’ll need to identify personal data or — perhaps the most efficient course — treat all personal data with the same heightened level of protection. The simplest course may well be to delete nonessential personal records entirely. Remember, the high price of noncompliance can turn unprotected personal records into toxic assets.
Under GDPR, enterprises will need to carefully steward any information that could be used to identify a covered individual, including information such as:
- Unique identifiers, such as social insurance account numbers;
- Location data that can be used to pinpoint an individual;
- Email address and other contact information; and
- Characteristics specific to the individual, such as political opinions, religion, physical details, and special categories of data such as genetic and biometric information.
Organizations will also be expected to comply with requests to erase data belonging to individuals who do not wish for it to be held. This provision is officially known as the right to erasure (sometimes more colloquially called the right to be forgotten).
Why GDPR Preparation Isn’t Just a Day at the Park
Preparing for GDPR compliance will take time, because GDPR calls for accountability as well as compliance.
In fact, one of the most challenging elements of meeting GDPR’s requirements is one of record keeping. Companies will not only have to appropriately classify and protect personal information, but they will also have to document their compliance with the regulation. They’ll need careful record keeping so they can meet the requirement to notify affected data subjects in the event of a breach. GDPR also requires that you maintain and enforce internal data policies — time frames for data retention, for example — and these should be articulated for all stakeholders.
Equally challenging for many organizations will be the adjustments they will need to make to their internal structure to meet GDPR mandates. Both personnel and practices will be affected. GDPR compliance, for example, may call for enterprises to designate a data protection officer to represent the interest of data holders in certain circumstances, such as where required by member state law or when processing special categories of data on a large scale.
What Should You Be Doing?
Best practices can be hard to describe in depth when they concern a regulation that’s not yet in full effect. But GDPR is concrete enough that some steps are easier to identify, for example:
- Work together. Make sure every part of your organization — from legal to accounting to sales to customer service — is aware of the implications of GDPR and operates with the common goal of meeting its requirements.
- Assess the impact. Survey all data you hold (from customers, employees or other individuals) for all the kinds of identifiers the law affects, and make protecting them a priority. This also includes business contacts, not just consumers.
- Plan judicious data use and collection. Identify, as closely as you can, what data will be necessary for new and ongoing projects, and use the least amount of personal data possible. At the same time, test your procedures for meeting individuals’ requests for data access or erasure. Frugal use of data will help you avoid challenges to your data practices and help reduce the risk of a breach.
- Create a notification plan. In the event of a breach, the ability to contact the supervisory authority within 72 hours and notify affected data subjects is critical. If you don’t report the breach or can’t reach the data subjects, you may face fines and other penalties, even when the breach is no fault of your own.
As wide-sweeping as it is, GDPR is ultimately a regulation that can be tackled like any other. We think the single best thing you can be doing about GDPR compliance is setting yourself and your team in motion rather than sitting on the sidelines.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.