The General Data Protection Regulation (GDPR), passed in 2016 by the European Union, goes into effect this week. The frenzy around compliance has been building for months: According to Forbes, the average Fortune 500 company has spent $16 million on lawyers and consultants to prep for GDPR. This GDPR checklist will tell you the top three things you need to know.
1. Know what you’ve got. The first and biggest task on any company’s GDPR checklist is an audit. You have to know where you are before you can know what needs to change. Intended to introduce some transparency and accountability where there has previously been very little, GDPR regulations apply to data collection, processing and retention practices, and to the data itself. To that end, companies need to know their data ecosystems inside and out. What types of personal data do you collect and process? What is your lawful basis for doing so?
In their own GDPR checklist, the Information Commissioner’s Office recognizes, “Many organisations [sic] will not have thought about their lawful basis for processing personal data,” in part because they haven’t needed to. Many companies took a “collection by default” approach, especially as “big data” became a buzzword. But the more records a company has, the more lucrative it is as a target. That’s because the endgame of most cyberattacks is rarely about gaining unauthorized access to systems; it’s about gaining access to data.
Data minimization, therefore, is a best practice for a company’s own information security, and its bottom line. Hanging on to data that isn’t being used is both expensive and risky. Now, with GDPR, there’s another reason to know exactly what data you’ve got, what you’re doing with it and where it’s stored: You may be asked — and required — to delete it.
2. Have a plan for secure destruction. Under GDPR, individuals have different rights depending on what reasons companies give as the lawful basis for collecting and processing data. Most of those rights are the same as those in the 1995 Data Protection Directive, which GDPR is replacing. Of the new rights consumers have, one of the most important is the right to data erasure. As of May 25, a European citizen has the right to request that any data a company may have related to them be erased. These days, it takes a little more effort to ensure that once a file has been deleted, it’s really, truly gone. Hence, a plan for secure destruction is high-priority.
You can work with a provider to ensure that both digital and physical data is permanently destroyed. As long as you know where your data is, if it needs to get erased, certain providers can guarantee — with legal proof in the form of a Certificate of Destruction — that it’s gone.
3. Let your customers know you have their backs. While GDPR protections technically only apply to citizens of the EU, the types of practices GDPR incentivizes are good for every consumer. So, let your non-EU customers know! By adopting higher standards for data protection and governance across the organization, companies are showing their commitment to the principles behind GDPR — transparency, accountability, privacy and security. Establish an effective channel for prioritized communications. Messages about your customers’ data are important and should be separate from product updates or new service offerings. But, just because these are legal matters doesn’t mean your communications have to be written in “legalese.” Take the opportunity to showcase your customer service: Explain your customers’ rights in ways they’ll understand, and make sure they know they can reach out. Two-way communication with your customers is important, and under GDPR, it’s required.
As the written guidance suggests, adapting to the new requirements of GDPR should not be difficult for companies that were already responsible stewards of their customers’ data. For example, in addition to requiring notifications of information security incidents to consumers, GDPR also requires companies to communicate with each other about any inaccuracies or changes to data they may have shared. This is something that responsible data stewards should already be doing, even though it does require some extra effort.
Ultimately, while GDPR is seen as consumer protection, what’s good for consumers is good for companies. The new regulations will keep us all more safe and secure.