Is it possible that some organizations have not yet heard about GDPR – the new EU legislation?
Sadly, yes. And an even greater number who have heard about it don’t realise how their own organization will be impacted. A primary issue is that many organizations with headquarters outside of the EU are still unclear about their responsibilities for managing personal data from EU residents.
GDPR was welcomed into EU legislation in 2016, and will require organizations processing sensitive data of any EU resident to be fully compliant by the enforcement date of May 25, 2018.
GDPR: What is it and who’s impacted?
In short, the new GDPR regulation applies to more organizations than you might expect. Data collection is most often done online these days, so if you have a website that requests personal identifiable data, chances are you must abide of the GDPR requirements.
From travel and insurance to retail and and online services, *any* organization that collates, stores or transmits volumes of sensitive information from EU residents must have the correct process in place in just a few months time.
Just to be crystal clear here: It doesn’t matter if the the data is collected outside the EU. It doesn’t matter if the data is processed or stored outside the EU region. If the data you collect on EU residents does not abide by the GDPR regulation, your organization could be facing steep fines, not to mention legal costs and mandatory audits.
In light of this, we recommend you get your skates on (if you haven’t already). We have a few resources and recommendations to help you on your way.
First thing is to understand the ins and outs of GDPR. It is an important new EU-mandated regulation: it provides the foundation for how organizations around the globe collate and process sensitive customer information belonging to EU residents.
If you need a recap, check out these resources:
One of the biggest challenges with GDPR is the complexity of the regulation. The stipulations touch every phase — from data collection, processing and transmission, all the way to detailing the security requirements to secure that sensitive data.
Ultimately, the legislation drives the point home that organizations are, in a way, merely leasing data from the original individual. The EU resident must consent to giving you the data, as well as consenting to how the data will be used and shared. More importantly, the EU resident can request data updates, ask for all the information stored on him or her, and demand that his or her data is wiped from the database.
Here is a high level checklist of requirements to help you ensure that you have the right security policies and services in place to protect against data threats. And check out the additional resources below to get more detailed advice.
- Review the consent policies presented to users before any personal or sensitive data is collected.
- Review or create a data management strategy to identify and classify data collated from users.
- Review or create a governance plan setting out policies and procedures for how you will collate, process and store data securely, as well as keep up-to-date records and logs to track the data through the various systems.
- Review or create a security strategy outlining the security infrastructure, procedures and policies that will protect the data from unauthorised access or use. Note that regular risk assessments is a GDPR requirement as well.
- Create a cybersecurity incident strategy, outlining notification procedures if a data breach occurs.
While this list might seem like a daunting task list to the uninitiated, remember that here at GFI Software we are compliance and security experts and we have been working on services and solutions to simplify the compliance process.
Our technical support teams provides free expert advice to businesses and organizations around the globe, and they can radically simplify the process of onboarding GDPR into your organization.
Click here to see how our solutions can aide with GDPR or download our FREE whitepaper.