The clock is ticking – there is not much time left before the EU’s new General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. “But don’t panic. Instead, take action straight away and make sure you do the right things. That will help you to avoid both fines and a bad reputation, even if you aren’t fully compliant by May 25,” says Daniel Hjort, director for Smart ID management at identity and security company Nexus Group.
The impending GDPR is making many business executives stressed and maybe even afraid.
“And it’s understandable. The GDPR has teeth, for sure. And it’s a very comprehensive regulation: it consists of 99 articles, stipulating the rights of individuals and defining the obligations of the organizations,” says Hjort.
The purpose of the regulation is to empower EU citizens to get in control of their personal data that organizations collect, process and store.
“To make sure that all organizations comply, there’s a pretty harsh fines regimen. But this is not what’s scaring business executives the most, since the authorities probably won’t be ready to start doing inspections by May 25. The biggest threat this spring is getting a bad reputation on the market. The individuals and the media are preparing to grill organizations as soon as the GDRP goes into effect,” says Hjort.
Download Guide: The IT manager’s cheat sheet – get ahead of security issues
To get on top of the situation before May 25, you should focus on doing these 12 things:
1. Make sure you are complying with the current, nation-specific personal data protection act.
“The GDPR builds on current legislation, but is more extensive. And while many local legislations have been quite toothless, the GDPR is clearer when it comes to what happens if you ignore it,” says Hjort.
2. Figure out what data is affected by the GDPR, and where and how it is stored.
“The affected data can be everything from a name, a photo, an email address or bank details, to posts on social networking sites or an IP address. Don’t forget any of your systems; you probably store personal information in more places than you first might have thought. And don’t forget that data about your own employees is also often in the scope of the GDPR,” says Hjort.
3. Classify the affected data.
“When you have reduced the data to the bare necessities, and you have identified the data owners, you should decide on a data classification scheme. One example of such a scheme is marking data as official, secret or top secret. There are certainly many data classification companies out there that are eager to offer you their help, but you can easily implement your own scheme by using headers and footers, watermarks or visible labelling, combined with employee training and awareness. Just be sure to opt for a scheme that is clear, simple and relevant to your business,” says Hjort.
4. Make sure that you can control access to the data.
“Requiring employees to use two-factor authentication to access and manage sensitive GDPR data is key,” says Hjort.
5. Decide on how to get consent from EU citizens for storing their data.
“And don’t forget that you have to manage parental consent for data regarding minors,” says Hjort.
6. Put a system in place to check the identity of individuals requesting you to take actions regarding the data you have about them.
“The GDRP gives all EU citizens the right to know what data you have about them, and you also have to give them the data or delete the data upon their request. Having two-factor authentication login to customer and partner portals simplifies the interaction with those who request. If people just send you emails with requests, you have no way of verifying if they are who they say they are,” says Hjort.
7. Create processes to handle requests to deliver or delete data.
“You may get tested on this straight away, so you better prepare. If the journalists don’t get their data within the stipulated time, there will be some bad will. And if they don’t get it in 3 weeks, there will be a whole lot of badwill,” says Hjort.
8. Prepare to collect and package requested data for delivery.
“In what databases should you look for the information? And will you package it as a zip file, a PDF or in some other format?” says Hjort.
9. Make sure that you can deliver the data in a secure and confidential way.
“I worry many organizations will panic and send confidential information in an e-mail to be able to get it to the requester within the stipulated time. This is a huge mistake – you have to prepare a secure way to transfer the data,” says Hjort.
10. Prepare procedures for how to manage data breaches.
“You have to inform the authorities and affected individuals without undue delay,” says Hjort.
11. If your organization has more than 250 employees, the GDPR places even stricter demands on you. Most importantly, you have to justify why personal information is being collected, stored and processed.
“You also have to have descriptions of the information you’re holding and what technical security measures you have put in place,” says Hjort.
12. Find out if your organization is obliged to appoint a data protection officer, and if so, appoint one.
“I can’t guarantee that you’re 100 % compliant after taking action on these 12 items – but that’s not the point. I don’t think any organization will be fully compliant by May 25, since the GDPR is such a huge and comprehensive regulation. But the above list will for sure help you avoid both fines and a bad reputation in the market, since it
shows that you have clearly taken action and focused on doing the right things,” says Hjort.
The Nexus Smart ID solution is ideal for getting in control of many of the technical aspects of preparing for the GDPR. Please contact Daniel Hjort or another Nexus representative if you want to know more.
You can also find additional information here:
The EU’s Article 29 data protection group’s guidelines.
The GDPR in its entirety.