7 Steps Towards GDPR Compliance
What does your reputation mean to you? In the case of business, a good reputation can boost brand loyalty, respect and trust. Today, breaches of personally identifiable information (PII) can have a devastating effect on how consumers view a company.
Soon, the European Union’s (EU) General Data Protection Regulation (GDPR) will add a significant fine to any breach of information for any European citizen.
In short, the law is about data protection. First proposed in 2012, EU member states agreed to the reform on December 15 2015 and it will come into law in the first few months of 2016. There will then be a two year ‘lead-on’ period, giving companies the time to prepare for the law before it begins enforcement.
If your company deals with ‘personally identifiable information’ about EU citizens, you will have to comply with the law. Companies that fail to comply with the GDPR will face steep fines – either 4% of all revenues or €20,000,000. Failure to comply will have a much larger impact on your reputation. For a full overview, download our free eBook on the GDPR today for in-depth analysis and guidance.
So, what practical steps does your business need to take to prepare for the GDPR.
1. Create your governance team
To begin preparations, you should create a GDPR data governance team. It might involve a part time team, a matrixed team or a permanent project group. Whatever the case, the team should involve individuals from different areas of your business, especially IT and legal departments. This will help the team gain strong knowledge of the regulations and how to translate those regulations for their respective divisions as they create the project or framework for implementing GDPR compliance.
2. Develop a notification breach process
Organizations that have had their data breached must notify the authorities and the individuals whose data has been stolen within 24 hours. You will need to ensure this process is in place, that you know what to do and who to contact in the worst case scenario.
3. Choose a base in the EU
The GDPR requires all companies who have operations in multiple EU countries to choose one state where they will deal with supervisory authorities.
4. Review your existing data assets
If you hope to comply with the GDPR, you need to actually know what data you hold. Carry out a review of your current data storage and understand:
Where and what form is your data stored
What kinds of data you hold
What you do with this data
Who can access this data
Is data ever shared with third parties
5. Ensure your existing systems are compliant
To comply with the GDPR, you must prove you are currently storing data in the most secure manner. If it’s discovered you currently hold PII in an insecure way, expect repercussions. For instance, if you use SharePoint to store private data, you will need to perform a review of your existing data and ensure all data stored in future is compliant.
Sensitive Content Manager from Metalogix can help here; it uses machine learning to constantly scan your SharePoint environment and discover PII, so you can ensure this is stored securely.
6. Train your employees
With the new laws coming into place, your employees will need training regarding best practices around data storage, treatment and collection. Depending on how your company uses data, this may mean retraining them to stop specific practices that will become illegal.
7. Employ a data protection officer or find a consultant
Firms with over 250 employees must hire an independent data protection officer to constantly review the company’s existing data protection practices. Smaller organizations will be able to get help from compliance experts.
Contact us today for further advice on the GDPR and to learn how ControlPoint can give you peace of mind by discovering PII in SharePoint.
Adam is a Director of Product Management at Metalogix and a Microsoft MVP advocating for collaboration by connecting business needs with the right technology. Prior to Metalogix, Adam was a Practice Lead for Office 365 in a cutting edge Microsoft Consulting firm where he was responsible for moving customers to the cloud, designing and implementing information architecture (SharePoint Farm and content) and increasing user adoption. Adam is an ongoing member of the SharePoint Saturday DC coordinating committee and active speaker at various events.