Three keys to being GDPR compliant
By Ian Philpot
We’re less than a month away from the enforcement of the European Union’s (EU) General Data Protection Regulation (GDPR), which comes into effect on May 25. If businesses haven’t taken the necessary steps to comply with the rules already, they could be in big trouble.
By Ian Philpot
The new regulations will have massive implications for all businesses working with EU data, and includes strict mechanisms that implement tighter rules for companies when it comes to the handling of that data.
It applies to companies in all countries, including Canada, that have access to EU personal information. This includes European customers or clients, or those that process European data on behalf of their clients. Given Canada’s close economic ties with the EU, this likely applies to most sizeable Canadian businesses. Most companies are not fully aware of the depth and reach of the regulations. They need to think about all stakeholders they collaborate with – be it vendors, contractors, or subcontractors.
The GDPR does not include an opt-out clause. Businesses must comply, or be subjected to heavy fines of up to €20 million, or four per cent of their global gross revenue – whichever figure is the greater. Such fines can break an organization.
There’s still time to become GDPR-ready, but businesses need to take the necessary steps in order to prepare their organization’s information for compliance, ensuring they get proper and full control of their organization’s content, including where it’s stored, where it’s processed, and how it’s used.
Here are three keys to understanding GDPR compliance, and how companies can prepare themselves accordingly.
• Data accountability: Under Article 5 of the GDPR, it’s necessary to be fully transparent of the data you possess and aware of the information you’re storing and collecting, in case that data is requested by a GDPR regulator. This also includes records for consent of collection, and the installation of proactive privacy practices that are transparent to customers. This will require mapping out the data under your possession, understanding where it sits, where its flowing and who has access — both inside and outside of Canadian borders. They will also need to reorient how they develop data capture application forms so that they’re clear, straightforward and that customers are aware of what they’re signing up for.
• Managing data usage controls: The GDPR enforces strict new usage controls over data that companies possess. These include principles such as “data minimization,” “data portability,” and the infamous “right to be forgotten.” In order to get a handle of all these principles, companies must establish internal strategies and take the necessary steps to ensure data protection by design and by default. It requires having complete control over customer content and data, having the ability to limit the amount of data collected when possible, and easily deleting that data upon request.
• It may even be of value to hire a data comptroller that oversees how data is being managed by the organization, what future changes to GDPR legislation may impact the personal data under their control, and what kind of notifications the company needs to deliver to their customers.
• Mandatory breach notification: Companies will be required to report on any data breaches within 72 hours to both GDPR regulators and to those directly affected by the breach. Failure to report properly and fully within 72 hours could result in penalties of up to four per cent of global annual revenue. Data breaches under GDPR includes any breach “leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The term broadly encompasses any unauthorized use or access of personal data.
• One of the key features of GDPR is security by design and by default. It requires that companies have secure data management processes to mitigate breaches, and limit the scope of breaches if they do occur. In the case of a breach, in order to comply with the 72 hour rule it will be imperative for companies to be able to document breaches as thoroughly as possible and have a plan in place to provide all the necessary details to GDPR regulators, including the categories and approximate number of individuals and data records concerned, and the potential consequences of that breach.
The requirements for GDPR compliance are immense. Canadian companies need to take action now, if they haven’t done so already. Staying informed of GDPR regulations, and have the content management software in place in order to comply with the rules will be key to avoiding any break of the law.
Ian Philpot is the Vice President of Box Canada.