European Union’s new General Data Protection Regulation (GDPR) will affect businesses worldwide, even though they might not be aware of it yet.
Starting with the 25th of May 2018, all companies that do business in the EU, or that manage EU citizens’ personal data, regardless of their size will need to be GDPR compliant. Even though the enforcement of this new Regulation is approaching fast, many organizations haven’t even heard of it yet.
In fact, a staggering 82% of global respondents to a survey carried out by Dell stated that they know little or nothing about the GDPR. In addition to this, nearly all companies comprised in the survey admitted to not having any plan in place for 2018. Only about 3% of companies have an actual action plan, with Germany feeling the most prepared.
Adapting to the new requirements is going to be tough on businesses, and it will affect them on at least four dimensions. For them to be able to develop an efficient incident response plan and deal with the volume of breaches, companies will need to change their Technology, Procedures, Recruiting and Budgets.
Change in technologies
The General Data Protection Regulation strongly encourages security by design and by default. Prevention is better than mitigation, so the first thing organizations need to do is make sure the technology they develop or employ is GDPR compliant.
From the moment consent is required from data subjects, to data hosting and access, the digital solutions businesses use must all comply to the regulation requirements.
Encryption, pseudonymization and tokenization are practices considered adequate by GDPR for ensuring a good data protection.
Change in procedures
Using compliant technologies is not enough. If they are not accompanied by adequate procedures, their use renders obsolete.
Organizations need to assess what types of data they hold, and identify the ones that fall within the data breach notification in the event of a breach. Larger businesses need to develop policies and procedures for handling data breaches regarding mitigation and notification in the required timeline.
Procedures regarding data subjects’ consent must be established so that the process of giving and withdrawing consent is easy and unambiguous.
Change in recruiting
Choosing the right data processing partners as well as employing staff will be affected by the General Data Protection Regulation.
Organizations need to review their current third-party service providers in order to make sure they are GDPR-compliant, especially those located outside the European Union.
Additionally, internal awareness trainings on the new regulation requirements must be carried out with current and future employees, as they are a key component of any organizational compliance framework.
Change in budgets
Businesses should foresee the additional expenses that will arise with the need to introduce new procedures and tools, as well as to educate employees on the regulation.
Around 70% of the respondents in a report carried out by Baker & Mc Kenzie’s privacy shield survey think that organizations will need to invest significantly more on gaining compliance. They feel these additional financial efforts will be particularly directed to consent requirements, accountability, and data privacy & protection officers.
In the face of all the new requirements that GDPR will enforce, organizations will need to change some of their current policies in order to bring more transparency. They will need to allow EU citizens to learn what type of data is collected and what is its purpose.