The General Data Protection Legislation, or better known as GDPR, comes into effect soon on May 25th and has been grabbing a lot of headlines the past few months – whilst this is new EU legislation this will have an impact on businesses around the world. So regardless if you are based in the USA, Canada, Australia, New Zealand or Europe you need to understand now what the legislation means to your business and how to ensure you are in compliance.
This legislation applies to any business that collects any European data even if this is done out of Europe. Think about all the data your business collects, email lists collected on blogs, e-commerce sales information, global clients. The impact of this is huge and we can almost guarantee that this will impact your business.
What makes this even piece of legislation even more scary is that the fines for non compliance can be eye wateringly high – up to 4% of your global revenue.
Our advice is to assume that this legislation applies to your business now and take actions to ensure compliance.
What are the new requirements?
The new requirements are formed around data security and privacy. For a complete list of requirements we recommend visiting the EU’s website on GDPR.
The summary of requirements is here:
- Safeguards and data protection measures must be in place to protect data.
- Right to erase – data must be removed when requested or the service comes to an end.
- Due diligence – Companies must have controls documented and in place and have conducted a full risk assessment.
- Data breaches – if your data has been breached customers must be notified and authorities within 72 hours.
5 simple steps
Understanding of the GDPR Legislation
In order to have the confidence that you are compliant you need to have an in depth understanding of the framework and really think about how this will impact your business.
Document your current process
Take some time to document your sources of data – where is this information captured, eg. email lists, online payment etc. Think about where you store the data and how you manage the current privacy and security about the data.
This document will be the start of your data register. The reason this needs to be documented is because each EU country will be setting up a GDPR enforcement team to determine whether breaches have occurred.
The documentation you prepare now (called a data register) helps to show the process your business has undertaken and steps made to ensure compliance. If your business is unable to show proof that a process has commenced to ensure compliance it could be fined without a breach of data even having occurred.
Organise your data
You need to make a list of the type of data you hold, where this information is stored and who has access to this information.
Improve your internal processes
Once you are aware of your most sensitive data you can develop a process to ensure this is kept securely, limiting access.
This could be by using encryption software, password protection, or software that stores data. There is no definitive method for ensuring privacy and security compliance – it will be dependant on the type of information stored and level of sensitivity.
Document your new process
Once you started implementing improvement to your internal processes ensure the new process is documented in your data register.
The road to GDPR compliance is likely to be long and costly for many businesses. Luckily there are some great options to help the process along such as cloud compliance software or hiring a compliance. This is legislation that no business owner can ignore and you really do need to at now rather than put your head in the sand.