You’ve probably received notifications about the new General Data Protection Regulation (GDPR) going into effect in the European Union (EU). As of May 2018, rules will be put into effect for organizations that do business with, and have data on, EU entities, which could be compromised or abused. GDPR seeks to establish one set of rules that all countries within the EU can apply to its members, as well as organizations outside the EU that touch this data.
There are a number of requirements that have to be met in order to comply with GDPR. How it applies to your specific situation will vary dramatically.
Here are a few ways to determine your role in GPDR:
- What kind of data do you work with? We are finding that even some smaller businesses interact with European entities, so it’s important to define internally what you will be responsible for.
- Establish where your organization stands as it pertains to the actual rules in GDPR. The good news is that a lot of what is required in the GDPR is not dramatically different than what you might find in domestic privacy rules regarding information such as HIPAA, PCI or DFARS.
These rules define a piece of data subject to regulation, like Personal Health Information in the case of HIPAA, and then set a series of standards regarding privacy, portability, consent, and so on.
So if your organization already has a solid data management strategy that considers regulations like these, you are probably fairly well positioned to meet the GDPR, even if a few changes are required to your posture.
- Perform an assessment. If this is the first time you are confronting compliance challenges, then it would be wise to do an assessment to:
a. Define the areas in which GDPR relevant data exists and flows throughout your organization.
b. Evaluate the protection of this data, as well as the rules surrounding staff use.
After the assessment, you can develop a remediation plan to address any shortcomings. Moving forward, data protection and management should just be a normal part of your decision making and management process, and then challenges like GDPR and other regulations will not seem like a hurdle.
Regardless of GPDR, every organization that handles protected information should come up with a security management and assessment process, and continue that discipline moving forward.
By developing a reasonable strategy now, regardless of the specter of the law which could change or surprise you, you can get ahead of the game. When it comes to data protection, it’s always best to exercise due diligence now before someone else demands it without your preparation.
If you would like to discuss your concerns with GDPR and other data protection issues, please contact us.