Marketing Will Never Be the Same – GDPR!
This post will lead you through the new EU regulations about storing personal data on your company servers.
These new regulations are nothing less than a revolution in the way countries maintain their citizens’ personal data and in companies’ permission to store and use their customers’ information for their own needs.
For years, companies could do anything they like with this data: tracking people, targeting people, buying or selling this data, and so on. This situation is going to change.
This article will explain how and what you should do to be ready to face those winds of change.
The GDPR came into effect in the EU on May 25th 2018. From then on, any company which stores or processes personal information about EU citizens within EU states has to comply with the GDPR regulations, even if they do not have a business presence within the EU. Companies are now required to have the same level of protection for information such as an individual’s IP address or cookie data as they do for fields like name, address and Social Security number. The GDPR puts steep penalties of up to €20 million or 4 percent of a company’s global annual turnover, whichever is higher, on non-compliance.
According to the GDPR, companies are allowed to store and process personal data only when the individual consents, and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request.
The GDPR defines several roles responsible for ensuring compliance: data controller, data processor, and the data protection officer (DPO). The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance.
WHAT SHOULD MY COMPANY BE DOING TO PREPARE FOR THE GDPR?
1. Set a sense of urgency that comes from top management: Risk management company Marsh stresses the importance of executive leadership in prioritizing cyber preparedness. Compliance with global data hygiene standards is part of that preparedness.
2. Involve all stakeholders. IT alone is ill-prepared to meet GDPR requirements. Start a task force that includes marketing, finance, sales, operations—any group within the organization that collects, analyzes, or otherwise makes use of customers’ PII. With representation on a GDPR task force, they can better share information that will be useful to those implementing the technical and procedural changes needed, and be better prepared to deal with any impact on their teams.
3. Hire or appoint a DPO: The GDPR does not say whether the DPO needs to be a discrete position, so presumably, a company may name someone who already has a similar role to the position as long as that person can ensure the protection of PII with no conflict of interest. Otherwise, you will need to hire a DPO. Depending on the organization, that DPO may not have to work full-time. In such case, a virtual DPO is an option. GDPR rules allow a DPO to work for multiple organizations, so a virtual DPO would be a consultant who works as needed.
4. Create a data protection plan: Most companies already have a plan in place, but they will need to review and update it to ensure that it aligns with GDPR requirements.
5. Conduct a risk assessment survey: You have to know what data you store and process on EU citizens and understand the risks around it. Remember, the risk assessment must also outline measures taken to mitigate that risk. A key element of this assessment will be to uncover all shadow IT that might be collecting and storing PII.
6. Implement measures to mitigate risk: Once you’ve identified the risks and how to mitigate them, you must put those measures into place. For most companies, this means revising existing risk mitigation measures.
7. If your organization is small, ask for help if needed. Smaller companies will be affected by GDPR, some more significantly than others. They may not have the resources needed to meet requirements. Outside resources are available to provide advice and technical experts to help them through the process and minimize internal disruption.
8. Test incidence response plans: The GDPR requires that companies report breaches within 72 hours. How well the response teams minimize, the damage will directly affect the company’s risk of fines for the breach. Make sure you can adequately report and respond within the period.
9. Set up a process for ongoing assessment: You want to ensure that you remain in compliance, and that will require monitoring and continuous improvement.