How to Get Ready for GDPR - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Data Management // Big Data Analytics
Commentary
6/27/2017
07:00 AM
Jessica Davis
Jessica Davis
Commentary
Connect Directly
Twitter
RSS
50%
50%

How to Get Ready for GDPR

GDPR enforcement begins in May 2018, and now is the time to ensure your company isn't hit with fines that can be up TO 4% of revenue. ADP's Chief Privacy Officer provided two tips on where to get started with your GDPR compliance plan.

(Image: EtiAmmos/Shutterstock)

(Image: EtiAmmos/Shutterstock)

Organizations around the world are getting ready for a new regulation that governs how they must handle data about European consumers, the General Data Protection Regulation or GDPR. Why are non-European companies preparing for this regulation? US-based consumers don't enjoy such protections. Indeed, US regulations appear to be going in the opposite direction if you consider the move in March to rollback broadband privacy regulations, enabling service providers to use consumer internet history to target advertising.

But you don't have to be a European company to deal with European customers. Any organization that stores or touches data coming from Europe will need to comply with this new regulation or pay stiff penalties -- up to 4% of annual revenue.

Experts note that "any US company with European customers in its database must fully comply for face big fines." A survey commissioned by Compuware found that 52% of large US companies store information that fits that profile. So chances are GDPR will affect you, even if you are in the US and work for a US-based company.

A couple of the basic elements of GDPR consumer protections include the following:

  • The right to be forgotten. As a consumer in Europe, you are empowered to require a company to delete every bit of data they have about you.
  • Data portability. If you are moving from one service provider to another, your provider must give you your data in a format that lets you transfer it from one service provider to another.

The good news is that enforcement on these new regulations go into effect in May 2018, so there is still time to prepare. But you'd better get started now, because you have a big job ahead of you.

That's just what ADP, best known as a payroll and human resources service provider serving companies around the world, is helping its corporate customers to do.

"Clients have been asking questions since GDPR was enacted a year ago," Cecile Georges, Chief Privacy Officer at ADP, told me in an interview. "Clients want to know what they have to do to comply."

While ADP doesn't provide legal advice, Georges did offer some ideas about where organizations should start with their GDPR compliance efforts.

The first step, she said, is to understand the regulation itself. Georges points out that GDPR is made up of 99 articles, so any efforts to comply will include gaining an understanding of how those articles apply to your individual business.

How do you do that? George's next recommended step is to perform a Gap analysis that inventories your organization's data processes now versus where they need to be to comply with the new rules. In this stage companies will need to answer questions such as who accesses the data? Where is it stored? Do you own the data?

"What companies do to comply will depend on the results of their individual Gap analysis, so the answer won't be the same for everyone," Georges said.

"If you collect and process data originating from Europe, even if you don't have a company or legal entity over there, you are required to comply with GDPR," George's said.

Companies with both European customers and non-European customers will need to decide if they want to create multiple compliance efforts -- a complicated undertaking. Do you have a separate program for your data and customers that touch Europe?  Do you go to the effort, expense, and cope with the complexity of running two or more parallel compliance programs? Or should you instead create single program that endeavors to comply with the regulations of the strictest jurisdiction where the company does business. That's not an easy question to answer, George's noted. She sees some companies looking to create a hybrid approach.

How companies actually proceed remains to be seen. What about your company? How are you handing GDPR? Are you implementing multiple compliance programs within your company? Or are you following a GDPR-like compliance effort. Let us know in the comments.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll