Being GDPR Compliant Requires Three Key Considerations
We’re just a few weeks away from the implementation of the European Union’s (EU) General Data Protection Regulation (GDPR), which comes into effect on May 25th. If businesses haven’t taken the necessary steps to comply with the rules already, they could be in big trouble.
The new regulations will have massive implications for all businesses working with EU data, and includes strict mechanisms that implement tighter rules for companies when it comes to the handling of that data.
It applies to companies in all countries, including Canada, that have access to EU personal information. This includes European customers or clients, or those that process European data on behalf of their clients. Given Canada’s close economic ties with the EU, this likely applies to most sizeable Canadian businesses. Most companies are not fully aware of the depth and reach of the regulations. They need to think about all stakeholders they collaborate with – be it vendors, contractors, or subcontractors.
The GDPR does not include an opt-out clause. Businesses must comply, or be subjected to heavy fines of up to €20 million, or four per cent of their global gross revenue – whichever figure is the greater. Such fines can break an organization.
There’s still time to become GDPR-ready, but businesses need to take the necessary steps in order to prepare their organization’s information for compliance, ensuring they get proper and full control of their organization’s content, including where it’s stored, where it’s processed, and how it’s used.
Here are three keys to understanding GDPR compliance, and how companies can prepare themselves accordingly.
Under Article 5 of the GDPR, its necessary to be fully transparent of the data under your possession, and forcing businesses to be aware of the information they’re storing and collecting in case that data is requested by a GDPR regulator. This also includes records for consent of collection and the installation of proactive privacy practices that are transparent to customers.
Too often, company data is stored in multiple locations. This is mostly due to organic growth: over the years, several data centers, databases, applications, operating systems, hardware platforms, desktop and mobile systems have grown and been integrated together. This means, however, that many companies do not even know exactly where personal data is being held.
Compliance with the GDPR will require mapping out the data you control, understanding where it sits, where its flowing and who has access—both inside and outside of Canadian borders. Businesses will also need to reorient how they develop data capture application forms so that they’re clear, straightforward and that customers are aware of what they’re signing up for.
Managing data usage controls
The GDPR enforces strict new usage controls over data that companies possess. These include principles such as “data minimization,” “data portability,” and the infamous “right to be forgotten.” In order to get a handle on all these principles, companies must establish internal strategies and take the necessary steps to ensure data protection by design and by default. It requires having complete control over customer content and data, having the ability to limit the amount of data collected when possible, and easily deleting that data upon request.
It may even be of value to hire a data comptroller that oversees how data is being managed by the organization, what future changes to GDPR legislation may impact the personal data under their control, and what kind of notifications the company needs to deliver to their customers.
Mandatory breach notification
Companies will be required to report on any data breaches within 72 hours to both GDPR regulators and to those directly affected by the breach. Failure to report properly and fully within 72 hours could result in penalties of up to four per cent of global annual revenue. Data breaches under the GDPR includes any breach “leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The term broadly encompasses any unauthorized use or access of personal data.
In the case of a breach, in order to comply with the 72 hour rule it will be imperative for companies to be able to document breaches as thoroughly as possible and have a plan in place to provide all the necessary details to GDPR regulators, including the categories and approximate number of individuals and data records concerned, and the potential consequences of that breach.
The requirements for GDPR compliance are immense. Canadian companies need to take action now if they haven’t done so already. Staying informed on GDPR regulations, and having the content management software in place in order to comply with the rules will be key to avoiding any break of the law.
Ian Phillpot is the Vice President of Box Canada.