The United States has a number of different laws surrounding the protection of personal data such as HIPAA, SOX, PCI-DSS, and FTC, to name a few. Despite this, there is still a need for a centralized regulatory framework to deal with the collection, use, and dissemination of personal data. This need will soon be met once the General Data Protection Regulation (GDPR) comes into effect.
The GDPR has what is referred to as “extraterritorial” scope. Basically, if an organization – regardless of where they are located – stores or processes personal data that is connected to EU citizens in some way, they will be bound by the GDPR. Many US companies that operate in the EU are already bound by the current EU Data Protection Directive. As such, these companies will already be familiar with some aspects of the GDPR.
Under the GDPR, organizations are required to know what data they hold, who has access to this data, and where the data is located. The GDPR primarily focuses on personally identifiable information (PII), which includes credit card numbers, Social Security numbers, DOB’s, names, addresses and other such information. It could be very costly if you fail to comply with the different acts of GDPR; with fines up to €20 million or 4 percent of your annual turnover (whichever is greater).
So, if your company deals with EU citizens in some way, you have to start preparations to meet GDPR, if you have not done so already. Here are some of the steps that organizations should take to comply with the GDPR:
Firstly, organizations need to raise awareness of what the GDPR is and make sure that all staff members and stakeholders are aware of the consequences of non-compliance.
Organizations need to make sure they know the difference between data controllers and data processors and be able to determine which category they fall in. Doing so will help shape their preparations.
Organizations will need to carry out a full audit of their personal data. They will need to know exactly what data they have, who has access to the data, where it is stored, why the data is being stored and for how long. Additionally, they will need to document the process for deleting the data.
To make this stage easier, organizations should adopt an advanced auditing solution such as LepideAuditor, which aggregates the raw event logs, and presents them via a single intuitive pane. Such solutions enable organizations to automatically detect, report and respond to suspicious changes made to their sensitive data.
Organizations will need to appoint a representative who will be in contact with the supervisory authority. Organizations that are either a public authority, process data belonging to EU citizens on a large scale, or process data relating to criminal convictions, will need to appoint a Data Protection Officer (DPO).
Under the GDPR, privacy notices must be understandable and accessible. When an Organization collects personal data, they must ensure that the data subject has fully understood the reasons why their data is being collected, and that consent is obtained. Likewise, they will need to be able to track and comply with the data subject’s preferences.
Organizations must review any service level agreements associated with third-party providers and ensure that they are compliant with the GDPR.