The GDPR – What It Means and How to Comply
For many businesses, the acronym GDPR has become synonymous with “greatest operational and legal challenge over the next five years.” In turn, you have probably been targeted with buckshot marketing campaigns introducing solutions that will supposedly save you and your loved ones from impending GDPR doom. In this short article, I’ll address the challenges and changes to come in the hope of shedding some light (and maybe some peace of mind) on what’s actually going on.
The GDPR in a nutshell
The EU General Data Protection Regulation will go into effect on 25 May 2018 to protect the data privacy rights of individuals. In this increasingly data-heavy world (email alone is exchanged at a rate of 269 billion a day ), the GDPR is designed to give consistency to data privacy laws across Europe. In certain circumstances, it also extends to organisations outside the EU that offer goods or services to individuals therein. Fines for non-compliance exceed those which could be levied under previous regulations: four percent of global revenue or €20,000,000, whichever is greater. Simply stated, the GDPR is no laughing matter.
Panic versus reality
For those of us old enough to remember the Y2K panic, the current GDPR frenzy is evoking similar feelings. Y2K fear mongering led many to pass the waning weeks of 1999 preparing their bunkers and backup generators rather than pouring glasses of bubbly. Fast forward 18 years and we see similar behaviour: a simple Google search for GDPR returns hundreds of pages listing anything from DIY tool kits to “overnight” compliance solutions. The UK Information Commissioner herself has penned a series of myth-busting blogs to sort fact from fiction.
What these “quick fixes” miss is that most organisations already comply (to some degree) with the GDPR in their existing business models. A sensible approach to managing data is something many organisations have taken seriously for a long time. Whether or not they know it, hardly anyone is starting from the bottom.
Assessing and working within an existing structure is more palpable and effective than building from scratch. Looking at the bigger picture presents an opportunity for organisations to better understand what information they hold, what information they need and most importantly, how they use and ultimately dispose of that information responsibly.
The solution: a sensible, organic approach to GDPR
GDPR compliance initiatives should be scaled in an informed way, providing as much (or little) input as their sophistication demands.
A successful, streamlined GDPR compliance workflow can proceed as follows:
-
Policy and regulation review: Perform a high-level policy review and interview relevant stakeholders to get an understanding of the organisation’s stance on data privacy regulations.
-
Data mapping: Determine what kind of data the organisation has, where it is stored, how it’s used and how policies relate to it.
-
Data analysis: Deploy forensics experts with the most appropriate tools to run further analyses that identify problem areas like PII and security protection.
-
Vulnerability assessment: Once it’s been established what data is held and where, verify technical controls and security, and add intrusion protection systems to the data map.
-
Remediation: Build a compliance plan including internal workflows or altering data storage locations, security controls, IT environments or third-party agreements.
-
Ongoing compliance audit: Ensure there is a robust review and audit program in place so that compliance develops and grows with both the organisation and the GDPR.
The world wasn’t noticeably different on 1 Jan 2000 as a result of Y2K, and it’s unlikely the world will change at midnight on 25 May 2018. Nobody knows what perfect GDPR compliance or potential GDPR enforcement looks like. Similar to any big change in the regulatory or technical landscape, it’s important to arm yourself with information, make preparations and have an intelligent programme in place. Stay tuned as we explore the ways you can ensure your organisation is prepared for the new-era of GDPR.
TLS has notable experts in each field and over a decade of experience with Big Data’s numerous forms: forensic collection, processing, e-discovery and information governance, to name a few. Our clients come to us to better understand and undergo the GDPR transition. Law firms supplement their regulatory advice with our technology and expertise while corporate departments, financial institutions and SMEs benefit from our knowledge surrounding their data from ongoing engagements – making TLS the ideal partner for GDPR support. To learn more, email legal@transperfect.com or visit www.transperfectlegal.com.