It’s May, and the implementation date for the new European Union (EU) General Data Protection Regulation (GDPR) is right around the proverbial corner—a regulation that carries some hefty penalties for businesses that process the personal data of EU citizens. If you haven’t already started your GDPR compliance preparation, now is the time to make sure you have all of your bases covered before it’s too late.
With that in mind, here’s a quick list of the top few things you should do before GDPR kicks in on May 25, 2018:
Do any of your vendors gather data about your customers, or use the data that you’ve collected for their own needs? If your answer is “I’m not sure,” then you need to sit down with that vendor and rework your contract to clarify what data they can and cannot collect or use on the double!
This is because GDPR’s rules specifically state that:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
In other words, if one of your vendors is collecting or using data on your behalf, they need to comply with the requirements of GDPR as well. Additionally, your vendors shouldn’t be handing off your customers’ data to other vendors.
So, be sure to review your vendor contracts and make sure that they specify:
By spelling out these things in the vendor contract and doing your best to enforce them, you can limit your liability risk later on.
One of the most critical provisions of GDPR is that your company is expected to notify those who may be affected by a breach without undue delay. Since the term “undue delay” is left undefined, it can be hard to establish a set time limit for notifying customers who may be affected by a breach.
On the other hand, the time for a business to notify the “appropriate authorities” is specifically defined as 72 hours from the time the breach was detected.
This is why it’s important to implement and test both an intrusion detection system (IDS) and some kind of procedure for notifying any parties that may be affected by a breach as well as the authorities. Having such systems in place is a good idea in any case, since it helps you identify security breaches quickly and, hopefully, warn your customers in time to let them take appropriate measures to stop identity theft.
The text of the EU data protection regulation specifies some key rights for data subjects (the people whose data you’re collecting and using). One of the most important ones is that they have the right to transparent communication of their rights. Some other entitlements include the right to be notified when their data is being collected, the right to opt out of data collection, and the right to be forgotten.
So, to comply with GDPR, your business will need to start creating some new notifications. You might want to consider creating pop-ups or putting text on pages that collect information to make it clear to the customer what information is being collected and why—as well as links to a document explaining GDPR’s “bill of data user rights.” This way, you can make it explicit that you’re collecting data in compliance with the text of the rule.
Such pop-ups should include the option to opt out of data collection if the customer so desires.
The “right to be forgotten” means that if the data subject so wishes, you have to delete any personal information you may be storing about them. While there are limitations to this noted in Article 17 of GDPR, such as not having to delete data if processing the information is necessary “for the establishment, exercise or defence of legal claims,” this may require expert legal assistance to establish or verify. So, it’s usually best to make the deletion of data as easy as possible unless you know there’s a compelling reason to not allow the data to be deleted.
Creating systems to allow data subjects to see what information you’ve collected about them and to easily request that you delete the data is a basic part of complying with the data subject rights outlined by GDPR.
While this blog hopefully helps you prepare for GDPR compliance, it’s no substitute for legal advice from a trained professional. This is why it is strongly recommended that you consult a lawyer about the impacts of GDPR on your business—preferably a lawyer who specializes in telecommunications law or has experience in dealing with EU regulations.
Having a lawyer who knows how to extrapolate all of the potential impacts and consequences of a big new regulation like GDPR for your business in particular is a must if you’re going to minimize your risks.
Another key requirement of GDPR is that businesses need to take reasonable measures to secure the data they store against illicit access. One of the most basic steps in protecting data is to conduct a thorough audit of your company’s security architecture and policies to identify all of the assets that need protection and identify opportunities for improving your cybersecurity.
By acting on the vulnerabilities identified in the audit, you can minimize your cybersecurity risks—which is a critical part of protecting your business’ data as well as the data of your customers from malicious actors.
If you need more information about the EU’s new data protection regulation, please download our free GDPR guide at the link below. Or, contact Compuquip Cybersecurity to schedule a security policy audit and get some more advice about preparing for GDPR compliance today!