The General Data Protection Regulation (GDPR) creates drastic and broad-sweeping changes to data privacy for anyone who is in the EU (not just citizens, but visitors and immigrants, as well) and for any company that retains EU customer data. The purpose is to ensure that data subjects have greater control over their personal information; including the right to actively consent to every use of personal data, the right to limit that use, the right to be forgotten, the right to have their data portable, and the right to seek damages should they suffer from misuse/breach of their data.
If you’re in a U.S.-based multinational enterprise doing business in the EU, you’re aware that the European (GDPR) deadline is May 25, 2018. You may also be painfully aware that you are not ready for the impending change. Gartner recently predicted that only 50% of companies impacted by the tough regulation will be compliant by the end of 2018. Non-compliant companies will face hefty fines of up to €20 million or 4 percent of global annual revenue, whichever is greater. Non-EU companies will be a particular target of these higher fines.
Preparing for the GDPR needs to start now. Here are some important steps to take to ensure you’re on the fast track to compliance.
Steps to take now
1. Determine if you’re a controller or a processor. This will shape your preparations. The regulation breaks out responsibility for protecting data into two roles: controllers and processors – and says that both parties are liable for upholding data subject’s rights. In some cases, you can be both controller and processor; or a controller that has multiple processors. Understand the GDPR definitions and get the advice of your legal team.
2. Audit your data. This is one of the most time-consuming tasks, but it reaps multiple benefits. Find out what data you have, where you have it, why you have it, how long you need it and any current processes for deleting it. Can you get a single view of your data subjects? There are database solution providers who can help you do this. A single view will be necessary in order to be able to “forget” (delete) a data subject’s info from everywhere you have it stored.
3. Work with your legal team and GDPR experts to determine which EU member state will be your supervisory authority. You will need to appoint a representative for your company who is established in your EU supervisory country. This person is the point of contact for all communications with the GDPR supervisory body.
4. If required, appoint a Data Protection Officer. Not all organizations need one, but given the vastness of the compliance requirements, it may be wise to have one. Make sure this person has the expertise you need.
5. Redesign what consent and disclosure looks like for your customers. Data subjects will need to check a box (or its equivalent) for every single use-case you have for their data. This includes profiling and big data purposes. They need to be able to select those they agree with and decline those they don’t, and you need to be able to comply and track their preferences in your systems.
6. Audit your third-party providers and re-evaluate service level agreements. Remember, if a third-party is not able to prove their GDPR compliance, the work they do for your EU data is illegal.
7. Consider where your data centers should be. Some companies are moving data centers to the EU to comply; some cloud-based database providers are able to easily discern and segregate EU data for you.
No doubt GDPR compliance can be overwhelming but the GDPR can ultimately benefit your company. Consider making GDPR standards the standard for your company around the globe. Improved data efficiency, better data protection, better relations and trust with customers – all of these things have the potential to push your company to the forefront and better secure you against future pain of data breaches.
Martin James is Regional Vice President, Northern Europe at DataStax, where he is responsible for the company’s go to market strategy and sales performance. Previous to DataStax, Martin held roles in sales leadership for companies across the data, analytics marketing and cloud sectors.