The words General Data Protection Regulation (GDPR) should strike at least a little fear in the hearts of organizations doing business in the European Union. These new regulations are due to come into effect on May 25, and they will impact any business dealing in personal, classified and sensitive data. But what is GDPR, and how should an organization prepare for the new legislation?
What Is GDPR?
General Data Protection Regulation (GDPR) is an update to the existing guidelines for dealing with personal data that were established by the Data Protection Act of 1998. The original act defined what personal data was and gave specific guidelines on how data must be stored, accessed and controlled by the organization that kept the information. It also detailed specific penalties for companies who experienced breaches or allowed personal data disclosures without permission. The GDPR updates this legislation to allow for more consumer control of the personal data, as well as enacting specific guidelines regarding data privacy officers and what penalties will apply when breaches occur.
GDPR Business Requirements
Businesses need to address some specific areas to become compliant. One is the creation and separation of the roles of data controllers and data processors. A data controller is a company that interacts with customers and records their email addresses. A processor is a company that manages the email list and sends emails on the companies’ behalf.
The GDPR also introduces the role of the Data Protection Officer. Any public organization–or any company that has more than 250 employees or 5000 customer records–must employ a data protection officer, whose main role is to manage privacy, consumer data rights and GDPR compliance.
The legislation also details rights concerning consent to collection of personal data, what can be collected, how the data may be used, and how and what customers can do with their personal information. It spells out the fines associated with noncompliance as well.
US vs Them
One of the most controversial changes stemming from GDPR is that it will pertain to any companies that deal with customer data from the EU. The requirements to retain customer data contain the same standards and rules for compliance, and any company that does not follow the rules will be bound to the same fines as any EU-based organization.
The complexity increases when the Internet becomes involved. There is technically a GDPR requirement when an EU-based consumer purchases an item from a US-based company, so the rules , as well as the penalties, will apply.
With fines that can amount to more than twenty million pounds or 4% of global revenue, the cost to become compliant provides a substantial return on investment. Initially, a GAP analysis needs to be performed. This analysis will examine the data processes and policies that the company already has in place, and it includes an employee engagement. Once the GAP analysis determines the risks to compliance, a remediation plan is created.
The remediation plan identifies the risks and barriers to becoming GDPR-compliant and provides a detailed plan with costs for to compliance. This plan will often include long-term compliance management in the form of educational engagement for employees on an annual basis. It also includes the deployment schedule for data mapping and policy creation, as well as a readiness assessment after everything has been rolled out.
Companies must be compliant with GDPR legislation by May 25th, 2018, and time is running out. The legislation impacts all areas of business, and all companies will need to be on board to succeed.
SysArc helps US-Based companies comply with GDPR. Get Your Free GDPR Gap Analysis Today! >>