When ISACA surveyed 6,000 business/IT professionals around the world the week before the deadline, only 29 percent said their organizations were GDPR-compliant — and only 25 percent of the remaining expected to be compliant by the end of 2018. Results of an April 2018 Ponemon Institute survey were worse still: Only half of the 1,000 surveyed U.S. and U.K. companies expected to be ready. Cost of implementing the regulation may be one of the major barriers. But consider this: The cost of noncompliance could be just as steep. Data privacy management company TrustArc found that of 600 surveyed organizations, a third spent more than $500,000 to prepare for GDPR and 25 percent spent more than $1 million (with another third estimating to spend half a million by the end of the year). To put that into perspective: Non-compliance fines could add up to 4 percent of annual revenues or 20 million euros (about $23 million in U.S. dollars as of August 2018). While smaller businesses are less likely to be affected than large, multinational enterprises, even small organizations are not necessarily off the hook. Any business that processes any amount of data needs to pay attention to this major change. If you’ve missed the GDPR deadline and are trying to catch up, here are the steps you need to take right now.
1. Get Familiar with the Requirements
It’s an obvious step but it bears emphasizing that if you’re not familiar with the GDPR requirements yet, start there. For many organizations, the regulation will bring major changes — in the Ponemon survey, 60 percent of respondents said it will create significant alterations to their workflows of collecting, using and protecting personal information. For starters, the regulation creates a much broader definition of “personal information” that other privacy laws. Even something like an IP address or cookie identifier is considered personal information under GDPR. Every website that runs on WordPress or integrates with Google Analytics uses cookies, so even a small website or blog would fall into this category. If you’re only running a small company or a website that’s not targeting citizens of the European Union, the regulation likely doesn’t apply to you if your website traffic from EU is considered incidental. But educate yourself thoroughly before you decide you’re an exception. The U.K.’s Information Commissioner’s Office (ICO) has a comprehensive online guide about all things GDPR. The details may be daunting to digest even if you have sufficient resources at your disposal. But the ICO has also created a tool box with “practical advice” for micro, small and medium organizations — check it out here.
2. Know Your Data and Where It Lives
The biggest challenge identified by the ISACA survey was data discovery and mapping. Even in a streamlined operation that uses a customer relationship management (CRM) tool, you may have data in other systems such as billing, or laptops and other mobile devices that your mobile or remote employees are using. Besides creating an inventory of your data, you’ll need to educate your employees about GDPR and what they need to do in the course of their daily work to make sure they’re not violating any requirements. For example, you may need to change your process for how sales people add prospects to their lists after in-person events (see the next step).
3. Get Permissions for Your Mailing Lists
You’ve likely received emails from your vendors and partners to re-subscribe to their communication list. That’s because GDPR requires explicit permission to collect someone’s information for any purpose — and someone giving you a business card or connecting with you on a social network doesn’t imply permission. So if you’ve collected email addresses off your website or tradeshow lists before but didn’t ask subscribers for explicit consent to opt-in for a list, you’ll have to work backwards. This should be relatively easy and quick to implement: Simply send everyone on the list an invite to confirm their subscription. Yes, you may lose subscribers, but it’s better than the alternative (a potential fine, that is).
4. Make Your Privacy Policy Known
There’s a long list of policies that you’ll need to develop: from data retention and employee privacy notice to data-breach notifications and data-breach response. Among these policies, the privacy policy for your website is easy to miss but just as easy to fix. One of GDPR’s requirements is to inform consumers what data you are collecting and storing about them. This includes those Google Analytics cookies and other information that you may not realize you’re collecting. Various websites offer free templates that can be used as a starting point for a privacy policy, and sites like Iubenda offer very inexpensive and highly-customizable templates. Don’t breeze through this. Make sure first that you have a good understanding of what you’re collecting and what you plan to do with that. And don’t forget that you also have a few other requirements when it comes to data privacy, so there’s still much more to be done beyond displaying a policy. Some examples:
Consumers have a right to “be forgotten” — which basically means if individuals don’t want you to process their data any longer and request deletion, you have to oblige Upon request, you have to provide consumers the data you’ve collected on them Individuals have the right to not only inspect the data but also correct it
5. Ensure Your Vendors Are Compliant
Chances are, if you’re collecting and processing data, you’re using a third-party service or app. Don’t assume that your vendor complies with GDPR. Do your due diligence to make sure your data processor is, in fact, compliant. According to the ICO, GDPR defines the controller as the “entity that determines the purposes and the means of processing personal data” — in other words, that’s your organization. Although GDPR places specific legal requirements on the processor, the controller is obligated to ensure that its contracts with the processors are compliant.
6. Implement Encryption for All Systems
GDPR is big on encryption. In the past few years, many organizations have been moving toward encryption as a best practice in case of a data breach, and other privacy regulations have made a push toward it. But encryption, by far, is not standard practice yet. Plus, you have to think beyond your servers and networks, and may need to deploy several types of encryption. One area that can be overlooked is your remote and mobile workforce. Do your employees use laptops and mobile devices? Password protection doesn’t count — those devices and remote computers also need to be encrypted. This list is just a basic start for GDPR compliance. You’ll have to implement a variety of other data-protection and cybersecurity measures. The good news is that many of the processes you put in place to be compliant with GDPR will help you improve your cybersecurity posture and be better prepared for a data breach. GDPR is as good a reason as any to get you thinking about your data from a business-risk perspective.
Sources
GDPR: The End of the Beginning, ISACA The Race to GDPR, Ponemon Institute 20% of Companies Report Being GDPR Compliant Post May 25 Deadline, TrustArc Guide to the General Data Protection Regulation, U.K Information Commissioner’s Office Tools for Micro, Small and Medium Sized Organizations, U.K. Information Commissioner’s Office If You Haven’t Fixed Your Website to Comply with GDPR, Here’s How, Forbes List of Mandatory Documents Required by EU GDPR, Advisera