The General Data Protection Regulation, or better known as “GDPR”, will impact and have been impacting the IP departments.
This is a topic that is extremely current. The GDPR has been big in the news these past few months — for good reason. This new law applies to all companies that collect and process data belonging to European Union (EU) citizens, even if this is done outside of the EU. This includes companies with operations in the EU and/or a web site or app that collects and processes EU citizen data. Most of us and our clients do business internationally in today’sglobalizedworld. Key areas of this legislation cover privacy rights, data security, data control, and governance. The good news is the law will be pretty much identical in all 28 EU member states, meaning they only have to comply with one standard. However, the bar is set high and wide — forcing most companies to invest considerable resources to become compliant. And you will want to be in compliance. Failure to comply with GDPR could result in a hefty fine. If a company is found guilty of a breach that compromises an EU citizen’s data, the penalty could be up to 20 million euros or four percent of an enterprise’s worldwide revenue, whichever is larger!
To prepare for GDPR, organizations should follow the following steps:
1. Understand the law: Know your obligations under GDPR as it relates to collecting, processing, and storing data, including the legislation’s many special categories.
2. Create a road map: Perform data discovery and document everything — research, findings, decisions, actions and the risks to data.
3. Know which data is regulated: First, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data, and what applications process that data.
4. Begin with critical data and procedures: Assess the risks to all private data, and review policies and procedures. Apply security measures to production data containing core assets, and then extend those measures to back-ups and other repositories.
5. Assess and document other risks: Investigate any other risks to data not included in previous assessments.
6. Revise and repeat: Repeat steps four to six, and adjust findings where necessary.
For CSOs, GDPR provides a good opportunity to upgrade the organization’s security capabilities to both meet the regulation’s requirements and improve overall security vis-a- vis data confidentiality and privacy.
Yes, the GDPR requirements will impact most of our clients’ businesses. Youbetter understand what is expected from you and your company. Be in compliance.
For more information about the requirements, please email us at firstname.lastname@example.org.