How to Prepare for GDPR's Data Privacy Changes - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Management // Big Data Analytics
11:00 AM
Jessica Davis
Jessica Davis
Connect Directly

How to Prepare for GDPR's Data Privacy Changes

Companies are headed into the final stretch to get ready for GDPR compliance before the May 2018 deadline. Whether your compliance plan is already in the works or if you are just getting started, here's some advice about setting priorities.

As 2018 begins, businesses are getting ready for the new rules that go into effect in Spring in the European Union. Or they should be. Companies around the globe must comply with the General Data Protection Regulation (GDPR) starting in May if they deal with the data of any European citizens.

The provisions and the need to comply may not be news to European-based companies that have had to comply with the previous EU Directive, a predecessor to the coming GDPR rules. But non-European companies may find that they suddenly must pay attention to these rules or face the consequences -- fines of up to 4% of revenue.

(Image: SB_photos/Shutterstock)

(Image: SB_photos/Shutterstock) spoke with Lei Shen, a partner at the law firm of Mayer Brown in Chicago and a specialist in transactional privacy about some of the challenges and the status of company efforts.

"There’s a lot to do to get ready for the GDPR," she told me. "As we near the May deadline, we’re definitely seeing a lot more scrambling. While many companies are well underway in their preparation for the GDPR, some companies are just starting to realize how much work is involved to get ready."

Some US businesses may not be aware of what they need to do, she told me, because the EU and the US have different definitions for personal data.

"The definition of personal data is a lot broader in the EU than what is considered to be personal data in the US," Shen told me. "So, for example, business contact information is considered personal data in the EU."

US-based companies may not understand the scope of what is considered personal information by the EU, and therefore they may be underestimating the data that is subject to the rules.

In addition, while US-based companies may not be directly doing business with European Union customers, they are still subject to the rules if any of their subcontractors work with that data, again expanding the scope beyond what some companies may have thought.

Top Priority

If you haven't started your GDPR work yet, you have a big job ahead of you. Even if you have begun, you may want to prioritize your efforts as the compliance deadline draws nearer. With that in mind I asked Shen what she thought was the top area for attention for companies trying to prepare.

"A big one is to do data mapping, especially for companies that weren't subject to the EU directive before and are subject to the GDPR now due to the change in jurisdictional scope," Shen told me. "In order to be able to comply with the requirements of the GDPR, companies need to know where their data is coming from, what consent was given at the time the data was collected, and what purpose the data was collected for. Conducting data mapping will enable companies to identify these factors and also make sure that all of these factors are taken into consideration when processing the personal data."

Companies may also want to reevaluate their data breach plans. Shen said that the EU requires companies to report breaches to a supervisory authority within 72 hours -- a huge difference from the notification timeframe in the US, which is 30 days.

"A lot of companies are having trouble complying with the 30-day requirement, let alone 72 hours," Shen said.

She recommends that companies create a data breach response plan and then practice that plan. Again, data mapping will be an essential component of the data breach response plan because the data mapping will enable companies to more quickly identify what data is on systems that have been affected by the breach.

One or Many Plans?

So if you are a US-based company that does business in the EU, do you create a single compliance plan that follows the EU rules, or do you run two or more parallel plans so that you have more freedom with some of the data?

"We are seeing companies [follow the EU plan] because it's very hard to have multiple databases in place [for data from different countries] and apply different rules to each of those databases," she said. "Companies often take the strictest laws and apply them throughout."

An exception may be companies that operate mostly in the US and only have a small subset of data from the EU. Those companies likely don't want to subject all their data to the stricter EU requirements.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll