The European Commission will introduce the. General Data Protection Regulation (GDPR) - a new set of strict privacy regu
ARE YOU READY? A Practical Guide to GDPR Compliance
?
WHAT IS THE GDPR? The European Commission will introduce the General Data Protection Regulation (GDPR) - a new set of strict privacy regulations designed to protect the personal data of individuals located in the EU
MAY
2018 3
!
On May 25, 2018, all businesses that handle EU personal data must be GDPR compliant, regardless of geographic location.
US
Are Businesses Prepared? (June 2017)
UK
Rest of the EU
40%
25% 20% 15% 10% 5% FULLY PREPARED
READY TO START PREPARATION
NO PLANS TO PREPARE
Less than 5% of companies are prepared for the significant changes that the regulation will bring.
Many companies outside the EU assume the GDPR will not apply to them... ...but it applies to every organisation offering goods and services to EU citizens
COMPANIES THAT BELIEVE GDPR WILL NOT APPLY TO THEM Source: https://community.spiceworks.com/research/gdpr-impact-on-it 5
3%
9%
43%
10%
Uncertainties about the GDPR have been causing companies to delay their efforts to comply. FOR EXAMPLE... • Most don’t understand the steps needed to comply with GDPR • IT teams are concerned about the scope and complexity of GDPR compliance • Some incorrectly believe the
GDPR Requirements Not Clear Management Doesn’t Understand Impact Will increase IT complexity GDPR will require a lot of user training GDPR will make my job difficult GDPR will make doing business difficult Cost of complying
None
deadline will be extended Don’t Know
6
20%
30%
40%
WHAT HAPPENS IF YOU’RE NOT READY? It’s the company’s responsibility to be prepared, and the cost of non-compliance can go way beyond the fine. Damage inflicted on a brand following a breach can permanently affect the bottom line of an organisation.
€20 million or 4% of worldwide revenue
Damage to reputation
7
?
Loss of customers
TAKE ACTION!
8 STEPS TO PREPARE FOR GDPR Complete content governance is the foundation for GDPR compliance. If you can find, account for, and understand your data... you can report on it.
8
Step 1
KNOW YOUR DATA
Determine what type of personally identifiable data you have on file, how sensitive it is, and where it is held.
9
Manage access controls
Step 2
KNOW WHAT YOU NEED TO DO Construct a detailed roadmap on how to address any gaps in your organisation while handling sensitive data. Review and update your existing privacy notices and communications policies.
10
Control data residency
Step 3
BE TRANSPARENT Look into hiring a Data Protection Officer (DPO) to implement and manage your data handling processes and procedures. Their role is to make sure that only the minimum amount of customer data is collected and processed.
The DPO must also provide the Data Protection Authority and the general public with access and insight into how customer data is managed.
11
Set up a system monitoring compliance activity in high risk areas.
GET PROPER CONSENT
Step 4
MONITOR YOUR DAILY ACTIVITIES It’s important to have full visibility into the way your company handles data. One of the easiest ways to maintain visibility is to keep an open line of communication with everyone involved, reviewing and updating privacy policies on a regular basis.
PROCESS SENSITIVE DATA
SHORTEN ACCESS REQUEST TIMEFRAMES
ENSURE COMPATIBILITY OF NEW SYSTEMS
12
Step 5
IMPLEMENT CHECKS & BALANCES After you’ve implemented the key processes and procedures, it’s important to stress test them on a regular basis.
CONDUCT A PRIVACY IMPACT ASSESSMENT (PIA)* This will mitigate privacy risk by analysing how your organisation will use personal information and technology.
It’ll also identify and fix any issues at an early stage, reducing potential cost and damages that may have otherwise occurred.
PREPARING FOR A WORST-CASE SCENARIO 1. Define the worst-case where your established processes could fail. 2. Put together an incident response team. 3. Set up a communications plan, as well as preemptive courses of action your company can attempt to take in order to fix the error. 4. Be able to report any breach resulting in harm to an individual to the Information Commissioner’s Office (ICO)* within 72 hours. 5. Treat every breach with equal significance so that you are well prepared for the worst-case scenario.
14
Step 7
BE REALISTIC ABOUT POTENTIAL COSTS
You’ll need to work out how to process and offer customer consent, when required.
The cost to get ready for GDPR really depends on what industry you’re in and the data being processed. It varies depending on the size and makeup of your organisation, whether your IT systems are prepared for GDPR, and if you’re starting from scratch or building on an existing privacy program.
FINES CAN BE FATAL Run theoretical scenarios on how to handle any financial repercussions. Sound preparation and planning can make or break your business when it comes to surviving a breach.
15
A breach could cost up to €20 million or 4% of company revenue.
Step 8
TRANSFER SOME OF THE RISK
Before the GDPR goes into effect, check out the benefits of a cyber insurance policy. If you don’t have one, you should definitely look into getting one. If you do have a policy already, review it closely with your provider to understand your GDPR coverage.
16
SO LET’S RECAP
THE 8 STEPS 1. Know your data 2. Know what you need to do 3. Be transparent 4. Monitor all your data activities 5. Implement Checks & Balances 6. Plan for a worst-case scenario 7. Be realistic about potential costs 8. Transfer some of the risk
