Are you prepared for GDPR Compliance?
Recent Survey Finds Most Businesses are Uninformed and Unprepared
The cybercrime landscape is getting scarier by the day. In response, the cybersecurity regulatory environment is continually evolving to develop new best practice standards and protect business owners. The last few years have seen an increase in formally legislated data security mandates that impact businesses of all kinds.
For business owners, a mounting pile of compliance regulations can seem like a tedious nuisance. We hear this question among our clients all the time – how is my company supposed to keep up with more and more cybersecurity regulations to uphold? However, tedious as they may be, data security regulations are designed specifically to prevent the devastating impacts of a beach on business operations.
Understanding the GDPR: What is the General Data Protection Regulation?
The General Data Protection Regulation is a cybersecurity mandate developed by the EU. After four years of preparation, the GDPR was approved on April 14th, 2016. The official enforcement date is May 25th, 2018 at which time non-complying organizations will face hefty penalties and fines.
The EU’s GDPR was specifically designed to harmonize data privacy laws across Europe, to maintain data protection for all citizens. The GDPR replaces the former Data Protection Directive and aims to reshape the way organizations across the international business community approach data privacy.
Here are the key articles, central to GDPR:
- Companies must obtain consent for data processing with all subjects
- Companies must anonymize collected data to protect privacy
- Any breach must be notified to governing bodies within 72 hours
- Data transfers that take place across borders must be handled safely
- Certain organizations are required to appoint a data-protection officer for GDPR compliance management
This is only a brief outline of what’s required of businesses under GDPR. In order to be fully informed, business owners should take the time to explore GDPR mandates completely. By understanding the ins and outs of what’s required and the potential penalties, strategies for compliance will be much easier to implement.
For a full rundown on the GDPR, check out this comprehensive guide.
Whose Impacted? Understanding Whose Responsible for GDPR Compliance
So, you must be thinking – European data security regulations? This can’t possibly have any impact on your business right? Think again. While the GDPR is a set of European regulations, drafted by the EU, it will apply to businesses outside European borders. GDRP mandates will apply to any organization from across the globe that does any kind of business in Europe or with European organizations. Furthermore, companies and organizations who have European citizens on their staff force are also impacted.
Not to mention, non-European-based businesses can be fined up to 4% of global revenue or 20 million Euros – whichever is larger – if it does not handle or store the personal data of European citizens according to GDPR regulations.
On Guard: How Prepared are Businesses for GDPR Compliance?
Okay, now that you know what GDPR is, you’re probably feeling like you’ve been in the dark on some pretty significant stuff. But you’re not alone. DocsCorp decided to conduct a study to measure how prepared Northern American businesses are for the implementation of GDPR. The company has recently released the results of their survey entitled The Current State of GDPR Readiness.
Participants in the survey were asked a series of questions, designed to determine how prepared these organizations were for upcoming changes that will take effect under GDPR in May of 2018.
The survey had alarming results. Let’s break the key findings down below:
- 27% of US and Canadian organizations had begun preparing for GDPR.
- That means, 73% of organizations had not begun preparing for GDPR.
- In fact, 54% of organizations were unaware of the compliance enforcement date of May 25th, 2018.
- Finally, 55% of organizations noted that leaking of personal data as their biggest security concern.
These results are concerning because they demonstrate that the majority of North American businesses aren’t sufficiently informed and definitely aren’t prepared for upcoming GDPR mandates. Further, with over half claiming leaked data is a primary concern, the urgency of data security compliance is clear. With the May 2018 deadline fast-approaching, this level of unpreparedness can leave businesses open to severe financial penalties if compliance standards aren’t put in place.
The DocCorps survey should serve as a WAKE-UP CALL for our colleagues, clients and all business organizations across North America to start making deliberate efforts to get prepared for GDPR mandates. If data security is a top priority – and it most definitely should be – getting informed about what’s required under GDPR is the first step. Then, it’s all about implementing strategies to maintain compliance.
Business-Focused Strategies: How Can Business Owners Prepare for GDPR Compliance
So, with May only six months away, local businesses are likely wondering – how in the world do I get prepared for GDPR compliance? When working with our clients, we try to outline key strategies for data protection that can be easily implemented and maintained to ensure compliance. Luckily, these strategies apply to GDPR prep, so let’s take a look:
- Build Awareness
First and foremost, use this guide and other online resources to get yourself and your team informed about GDPR mandates. We constantly tell our clients that employee awareness is the first step and the strongest line of defense in a data security strategy. Furthermore, we believe in being transparent with our clients about the threat landscape, and business owners should be transparent with their workforces as well. If you and your team know what’s expected and what’s at stake, you won’t be caught by surprise.
- Inventory your Information
Figure out what kinds of data you collect and determine what’s impacted by the GDPR. Our experience working with clients in all industries has allowed us to observe that many organizations simply don’t have a central inventory of the types and quantities of data they collect. By creating a ‘data inventory’ your company will have a better idea of how to organize and manage data for compliance.
- Data Security Policies and Procedure
We’ve said it once and we’ll say it again: having detailed data security policies and procedures in place is critical. Outlining key policies that outline data protection mandates and making them readily available to employees allows critical information to be easily accessed. Further, by developing comprehensive procedures for your workforce to follow, team members will feel comfortable and empowered to make informed decisions when using business technology.
- Assign a Data Protection Officer
We work with a lot of small business owners, so we know that hiring an entirely separate employee as a Data Protection Officer isn’t always feasible. However, you can assign this role to someone already on your payroll. Maybe a system administrator or the most tech-savvy member of your staff. Basically, it’s just a good idea to have someone specifically in charge of overseeing policy development to ensure compliance standards are being upheld. If – like our clients – you work with a managed IT service provider, talk with them about vCIO services or the best ways to monitor and manage data protection internally.
- Implement Breach Response Plans
This one is possibly the most important of all. GDPR requires all breaches to be disclosed in a timely fashion and employees at all levels should be aware of this. Additionally, breach response plans are helpful because attacks often catch professionals off-guard. We can’t count the amount times we’ve heard from clients who were hit by a breach and totally unprepared to respond effectively. That’s why it’s our rule of thumb to have detailed response plans created before a breach happens. If employees encounter any kind of suspicious activity or a full out breach, they need to know exactly what’s expected of them in order to maintain compliance, shut the attack down or bounce-back efficiently.
Regardless of your industry or the size of your company – if you do international business or have European staff members, GDPR impacts you. Furthermore, if you handle or store the data of European consumers – GDPR impacts you as well. Though it may seem you have lots of time to prepare before enforcement begins in May, getting on top of data security management now will save you from last-minute scrambling to ensure compliance standards are in place.
We get it – the constantly changing data security landscape can be a thorn in the side of your business. However, we also understand that cybercriminals never sleep. The recommendation we give to our clients – and to all other businesses – is to follow the guidelines provided by compliance mandates like GDPR. Even if you’re not directly impacted, building security compliance strategies into your business network will put you one step ahead of cyber threats. Furthermore, it will help you proactively position your company as the cybersecurity landscape continues to change.
Need a hand with data compliance? Every day, we help our clients develop and implement data security strategies that are reliable, strategic and proactive. If you’re looking to better manage IT security or if you’re trying to get a hold of data compliance, give us a shout.
No matter the specific needs or challenges, our team has likely seen it before and we’re passionate about developing customized security strategies for you so you can stay focused on business. Don’t hesitate to reach out – we’re here to make your IT work for you.