How to Get Ready for GDPR - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Management // Big Data Analytics
07:00 AM
Jessica Davis
Jessica Davis
Connect Directly

How to Get Ready for GDPR

GDPR enforcement begins in May 2018, and now is the time to ensure your company isn't hit with fines that can be up TO 4% of revenue. ADP's Chief Privacy Officer provided two tips on where to get started with your GDPR compliance plan.

(Image: EtiAmmos/Shutterstock)

(Image: EtiAmmos/Shutterstock)

Organizations around the world are getting ready for a new regulation that governs how they must handle data about European consumers, the General Data Protection Regulation or GDPR. Why are non-European companies preparing for this regulation? US-based consumers don't enjoy such protections. Indeed, US regulations appear to be going in the opposite direction if you consider the move in March to rollback broadband privacy regulations, enabling service providers to use consumer internet history to target advertising.

But you don't have to be a European company to deal with European customers. Any organization that stores or touches data coming from Europe will need to comply with this new regulation or pay stiff penalties -- up to 4% of annual revenue.

Experts note that "any US company with European customers in its database must fully comply for face big fines." A survey commissioned by Compuware found that 52% of large US companies store information that fits that profile. So chances are GDPR will affect you, even if you are in the US and work for a US-based company.

A couple of the basic elements of GDPR consumer protections include the following:

  • The right to be forgotten. As a consumer in Europe, you are empowered to require a company to delete every bit of data they have about you.
  • Data portability. If you are moving from one service provider to another, your provider must give you your data in a format that lets you transfer it from one service provider to another.

The good news is that enforcement on these new regulations go into effect in May 2018, so there is still time to prepare. But you'd better get started now, because you have a big job ahead of you.

That's just what ADP, best known as a payroll and human resources service provider serving companies around the world, is helping its corporate customers to do.

"Clients have been asking questions since GDPR was enacted a year ago," Cecile Georges, Chief Privacy Officer at ADP, told me in an interview. "Clients want to know what they have to do to comply."

While ADP doesn't provide legal advice, Georges did offer some ideas about where organizations should start with their GDPR compliance efforts.

The first step, she said, is to understand the regulation itself. Georges points out that GDPR is made up of 99 articles, so any efforts to comply will include gaining an understanding of how those articles apply to your individual business.

How do you do that? George's next recommended step is to perform a Gap analysis that inventories your organization's data processes now versus where they need to be to comply with the new rules. In this stage companies will need to answer questions such as who accesses the data? Where is it stored? Do you own the data?

"What companies do to comply will depend on the results of their individual Gap analysis, so the answer won't be the same for everyone," Georges said.

"If you collect and process data originating from Europe, even if you don't have a company or legal entity over there, you are required to comply with GDPR," George's said.

Companies with both European customers and non-European customers will need to decide if they want to create multiple compliance efforts -- a complicated undertaking. Do you have a separate program for your data and customers that touch Europe?  Do you go to the effort, expense, and cope with the complexity of running two or more parallel compliance programs? Or should you instead create single program that endeavors to comply with the regulations of the strictest jurisdiction where the company does business. That's not an easy question to answer, George's noted. She sees some companies looking to create a hybrid approach.

How companies actually proceed remains to be seen. What about your company? How are you handing GDPR? Are you implementing multiple compliance programs within your company? Or are you following a GDPR-like compliance effort. Let us know in the comments.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Technology commentator and President of Transworld Data,  4/13/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll