The European Union is rolling out its new General Data Protection Regulation, or GDPR, in May 2018 and organizations across the world are trying to determine how this new legislation will affect their daily lives. The 2017 Risk: Value report, commissioned by NTT Security, surveyed 1,350 non-IT executives across 11 countries, with 40% believing their organization will be subject to the EU regulation, 19% admitting they don’t know which compliance regulations they are subject to, and 25% in the US identifying the regulation as a compliance issue.
Any organization that does business with anyone within the EU must understand how to deal with the GDPR because failure to comply with its dictates could result in penalties of up to €20 million or 4% of global annual turnover, whichever is higher. Those are numbers that should get anyone’s attention. If your organization does any business within the EU, it is important to understand your obligations under GDPR.
The good news? If your organization is affected and you have an established information governance program, you are well on your way to compliance. Information governance can be broken down into four questions — or “The Four Ws” as I call them. What are your information assets? Where are they located? When can you dispose of them? Who owns, manages and has access to them?
If you can answer these questions, you can skip ahead. If not, it is time to begin an audit. An audit is the first step to creating an information governance program. With an information governance program in place, you can move forward to understanding compliance with GDPR. Here are some basic steps to ensure your organization has a plan for the regulation:
- Having a fully documented information governance program is critical because there is a central figure or group in charge of the program to monitor compliance.
- Maintain a fully documented training program to prove everyone that handles client data has been fully trained on how to comply with the regulatory requirements.
- Understand where all personally identifiable information (PII) is stored within your organization’s systems. This is similar to what you would normally find in an ESI Data Map.
- Ensure all PII is securely stored and fully removed from all systems when no longer needed. This means complete data access logs, end-to-end encryption and documented expungement procedures and logs.
- In the advent of a breach, have a documented procedure in place that notifies everyone affected in the prescribed time frame, which is currently within 30 days.
Having an information governance program in place makes achieving compliance much easier. With the framework in place, there are only a few modifications to get you on the road to where you need to be. Mitigating this risk has a definite return on investment that any organization can understand.