GDPR compliance: 3 must-do’s for enterprise maintenance
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) goes into full effect. As the deadline draws near, enterprise organizations around the world are scrambling to ensure their operations comply with this landmark data security legislation.
As most businesses know by now, the EU’s new regulations have broad implications around the world, requiring GDPR compliance from any business that collects user data from individuals based in the European Union. It doesn’t matter if your organization has never officially set foot on European soil: If the organization attempts to gather any information about European consumers, even if they’re currently located in non-EU countries, GDPR compliance is non-negotiable.
After May 25, companies face penalties for failing to adhere to GDPR guidelines. But in the mad dash to reform practices ahead of the deadline, businesses must also consider how a continued GDPR strategy maintains organizational compliance in the future. The work doesn’t end when compliance is achieved: Sustainable practices must be in place to ensure compliance well into the future. Here are three core components of a compliance maintenance plan.
Build GDPR compliance expectations into employee contracts
At any organization, employee responsibility will have a huge role in the company’s continued GDPR compliance. Uninformed or malicious employees could compromise the entire organization by mismanaging customer data, thereby violating GDPR.
Businesses can address this challenge by adjusting employee contracts to feature new incentives, as well as penalties that could range from lost bonuses, reduced benefits or even automatic termination. A survey from Veritas Technologies found that 47 percent of businesses plan to add GDPR compliance clauses into contracts for their employees.
Set up regular auditing
Data management will face close scrutiny under GDPR, and businesses will need to routinely audit their systems to ensure the right management practices remain in place. Auditing reports should be generated on a regular basis to document where personal data is located and how it is stored, as well as documenting the processes for managing and securing this data. Methods for acquiring consumer consent should also be addressed in these audits, and enterprises will have to explain how their stored data is used for business purposes.
According to Information Age, this information is often referred to as a golden record documenting all available information about consumer data storage. If regulators come knocking, these auditing documents will be invaluable in defending your practices and proving your business has remained in compliance.
Test your response plan for a data breach
Under GDPR, companies have a 72-hour window to report a data breach or other violation. This time frame requires businesses to quickly identify, assess and report violations if they want to minimize the penalties they face.
With that in mind, organizations should set up a procedure for handling these reports. Response teams should be established and tasked with leading the investigation and reporting process. IT must be able to quickly coordinate strategies to fix the breach or violation, and this action should be documented in reports submitted to regulators. Quick, efficient and organized responses to noncompliance issues will show that your organization takes GDPR seriously — and it will help foster a company culture committed to these new privacy policies.
The General Data Protection Regulation is uncharted territory for many businesses, but information and resources are available through the GDPR website to help businesses come into compliance. Once your business is set to meet the May 25 deadline, turn your focus to strategies that will support compliance and sustain these new efforts to protect consumer data.