GDPR: What to do from now till May 25th
This expert piece was written by Gregg Petersen, Regional Sales Vice President, Middle East & Africa, Veeam Software
You’ve probably heard a lot about the new EU General Data Protection Regulations (GDPR). And that’s understandable. The run up to it has been a long, drawn out process – beginning way back in 2012, when the European Commission proposed a comprehensive reform of the 1995 data protection rules.
These proposals turned into plans, and now these plans are finally hurtling towards us at breakneck speeds. After all the talk, commentary, advice and debate, the grace period for the new regulations is coming to an end (May 25th 2018) and penalties are just around the corner.
In the grace period we’ve had, there certainly hasn’t been a lack of information about what people should expect from the new regulations. But the sheer amount of literature surrounding it can be justified when considering the size of its effect.
The new GDPR will have a profound impact on all organisations that are responsible for processing and storing personal EU citizen data. And in today’s borderless digital world, this means businesses beyond Europe will be affected. Indeed, any business that deals with a partner in Europe will be subject to the rules.
Remember, the fines are colossal: up to 4% of annual global revenue, or EUR20 million – whichever is higher. So, with just weeks to go, it’s worth making sure your business is prepared. In fact, it’s worth double, triple and quadruple checking your business is prepared. The risk of non-compliance and the resulting fine is too great to take your chances on.
With that in mind, here are just a few things you should be looking out for in the final countdown.
1. Make sure everyone is aware
Some businesses and organisations are appointing, or have appointed, a designated Data Protection Officer in the run up to the launch of the GDPR.
Even if some are a little behind the curve, this is smart thinking, as not only can a DPO be a useful expert, they can also be a GDPR advocate – getting the entire company on board with GDPR best practice. Moreover, they’ll be able to recommend the right kind of tools to bring on board that will aid with data backup, in the event that the business is attacked.
But even for those businesses who aren’t making a DPO hire, it’s worth remembering that the GDPR is a company-wide issue. This means you should be making sure that all the key stakeholders in your organisation have a solid understanding of the implications and requirements of the new regulation and how it will affect their own processes.
2. Conduct a data audit
By now, every business should know what personal data it holds, where it’s stored, how, and where it came from. They also need to know why they’re holding it and how they came to have it. Any or all of these questions might be asked by local GDPR enforcement agencies.
If you’re one of the businesses that doesn’t have this level of data knowledge, it’s time to get a hurry on and answer the questions about your data. Come May 2018, you will need to justify the legal basis behind your data processing activities. The authorities are not going to be lenient on businesses that suffer breaches and are unable to back their data hosting up to ensure its safety. The fines are real, and soon enough there will be an example that proves it.
3. Review personal privacy rights
One of the big changes the GDPR is bringing about is greater citizen rights when it comes to data. To put that into context, over the past three years, Google received 2.4 million requests for the deletion of search engine results – that number is going to rise rapidly when people understand more about their right to be forgotten.
Beyond being forgotten, people will also be able to access data, or to request it for themselves (in a format they can digest). To ensure this right doesn’t become a time sink for your organisation, you should make sure you have a way to tag the location of each data point so you can access it when necessary. It’s a small change that could yield big time dividends.
4. Have a plan for data breaches
Under the rules of the GDPR, organisations must report data breaches within 72 hours of discovery. That doesn’t leave long, especially when you consider that the hours after a breach will be a fraught time, with lots of different investigative and firefighting activities going on.
As such, it’s key to make sure you have the right plans in place, which will allow for the detection, reporting and tackling of a data breach, should one happen.
Here, additional reporting software can help. Tools which allow businesses to add clarity to the location of backup repositories can save time with compliance reporting. And, should data become unavailable because of malware, recovery software can easily make data available again.
5. Keep improving
Of course, it’s good to have plan, but it’s even better to leave room for continued improvement. Particularly where the availability, quality and safety of data are concerned; and when data is fast becoming the most prized asset of our time.
Considering the fast-paced world we live in, it’s likely that the digital landscape will change in the coming years – even more so than the last decade. As such, it pays to be able to evolve with the times and to test, trial and evolve with technology. The GDPR doesn’t end on May 25th. It only just begins.