With just over a year before the EU General Data Protection Regulation (GDPR) comes into force, we are getting the overall impression that a surprising number of organizations are still seemingly unprepared. Whether this is down to low awareness or a lack of willingness to face the change, burying your head in the sand isn’t really a long-term or strategic option.
GDPR is new EU-wide legislation to replace the Data Protection Directive from 1995. It’s designed primarily to further strengthen the protection of personal data for EU residents. In the near future, if you’re keeping data about a customer in the EU, they have the right to know, check and even ask for that data to be deleted.
GDPR is a far-reaching piece of legislation that will affect every organization that wants to retain personal data relating to EU residents, regardless of where the business is based. Businesses around the globe, of all sizes, must comply with GDPR – or face heavy fines – when they collect, store, process or analyze any type of personal data belonging to residents of EU member states.
Come Friday, May 25, 2018, any business that handles EU resident’s data must have established GDPR-compliant processes and procedures. This even extends to how data is deleted. Under the new directive, EU residents can request that all their personal data is fully erased from a company’s automated and non-automated systems, so long as they can show that it must not necessarily be kept. It is not just personal addresses, birth dates and bank details that need to be protected: The new regulation provides a very broad definition of personal data, describing it as “any information relating to an individual in their private, professional or public life” – which includes photos, posts on social networking websites and even email addresses. In short, anything that can be used to identify an individual.
As you easily can imagine, EU GDPR brings an extensive set of obligations for businesses which go beyond current data protection requirements. One of the most onerous, from a compliance point of view, is the duty to report data breaches within 72 hours (that’s the easy part) while also notifying ALL affected individuals in the same three-day period when there is deemed to be “serious risk of harm”. This is a requirement which might pose a nightmare for companies – how can you notify customers of a data breach while still hoping that it does not tear your reputation to shreds?
The new regulation also demands that organizations can prove they have freely given and explicit consent from individuals to collect and process personal information. Think about it – this means keeping a log of all information received from individuals, down to asking their permission to store an email address. It also necessitates clearly communicating how you plan to use individual pieces of information. While some organizations already have consent mechanisms in place, as a rule they are simply not comprehensive enough to be valid under GDPR and will need to be overhauled. Many organizations will also recognize the need to appoint a dedicated data protection officer.
Almost halfway through the transition period already
The European Parliament formally approved GDPR in April 2016. Although we are now well into the two-year transition period, only a small number businesses have truly understood what the new regulation means for them, and are consequently taking the essential steps to prepare. Time is running out: Non-compliance will mean severe penalties, up to four percent of global annual turnover or some EUR 20 million, whichever is greater. And that’s not all – as mentioned above, there’s the cost of the damage to your reputation caused by loss of trust.
The EU GDPR’s requirements are complex. Many companies will need to review and radically change business practices: Even more reason to start preparing in good time.
How to get started? First, make sure you understand what type of data an organization holds, where it is stored, and how it is processed. Mapping this data will provide a clear understanding of what falls under the scope of GDPR, highlight potentially weak spots and make it easier for the right technical and organizational solutions to be put in place to close any gaps.
There is no quick fix, but businesses don’t have to go it alone. Together with industry-leading security partners, Fujitsu offers a comprehensive set of consultancy services to help organizations prepare and comply with the new obligations. This starts with a fixed-price EU GDPR Readiness Assessment, which provides a thorough validation of current practices against the new requirements. This readiness assessment scrutinizes all aspects from data security policies, privacy statements, supplier contracts, existing technologies and IT infrastructure. In addition to a readiness review, Fujitsu security experts also provide support in making sure systems are aligned with GDPR requirements, in defining and establishing data privacy strategies, and in developing and implementing processes for detecting and reacting to data breaches. Further services drill deeper into aspects such as more broad and detailed data discovery, aiming to identify existing data pools that will be affected by the new rules, and assess how data is processed and stored throughout its lifecycle. For businesses that prefer to outsource their requirements, managed security services are an option well worth considering.
Finally, let’s also look at this from a different perspective. In this digital age, data is one of the most critical business assets. Businesses with clear vision of their data landscape have a competitive advantage. So, rather than seeing the new regulation as a mere burden, organizations should consider the opportunity for assessing their current situation, then building a data-driven business that customers will be happy to rely on.
Whichever way you look at it, one thing is certain: EU GDPR will have a significant impact on your business. It’s time to start getting ready, before you get caught out.
If you’d like to learn more about Fujitsu’s range of support options for GDPR, see http://www.fujitsu.com/fts/solutions/business-technology/security/gdpr/