Where to begin with GDPR compliance: The clock is ticking

Data is often a company’s most critical asset. Businesses globally are collecting increasing amounts of data on customers and partners so they can be more competitive in the marketplace. In the European Union (EU), over 90% of citizens say they want some data protection rights across the EU, regardless of where their data is processed. But why?

Because similar to the large data breaches that have occurred in the US , an increasing number of cases have been reported in the EU as well. Consumers around the world are concerned about how their personal data is managed.

No One Is Immune 

Just last week, Virgin America was the latest target of a breach of employee and contractor data – affecting more than 3,000 employees and contractors.  The hackers gained access to login info, passwords and personal information like addresses, social security numbers, driver’s licenses, health information, and more.

The EU has taken the first step in requiring an increased focus on data governance and business transparency for personal data. In 2012, the European Commission (EC) embarked on a process to update and expand privacy regulations and enable EU residents to maintain control over their personal data. The General Data Protection Regulation (GDPR) will take effect May 25, 2018 and will replace the Data Protection Directive (Directive 95/46/EC), which is more than 20 years old. The new GDPR regulation is putting companies around the world in a frenzy trying to figure out how to comply. GDPR will have far-reaching compliance effects for anyone doing business in Europe or anywhere in the world involving European citizens.

The term “personal data” is interpreted with a wide lens. It covers the basics (name, address, etc.) and more, like cultural profile, genetic data, biometric data (fingerprints, facial recognition, etc.) This infographic by the EC provides a comprehensive look at GDPR compliance requirements – including what qualifies as personal data, why the rules are changing, what your company must do, and the cost of non-compliance.

Three Key Points about GDPR Compliance

• Right to be Forgotten Principle – Enables individuals to request the deletion or removal of their personal data. This principle is about empowering the individual, not about erasing past events or re-writing history. To satisfy this requirement, companies need to be equipped to deal with a large volume of data requests from EU citizens and have integrated systems to handle those requests.
• Mandatory Privacy Impact Assessments (PIAs) – Data controllers are required to conduct PIAs where privacy breach risks are high to minimize risks to data subjects.
• Breach Notification – Companies will need to inform affected individuals and relevant regulatory authorities about data breaches within 72 hours of discovering them.

Where do you start?  

The first step is to conduct a readiness assessment of your current data protection compliance programs and set up a roadmap to determine next steps. Conducting a readiness assessment is the best way to ensure the right protective measures are taken. It should be more than just a checklist. Assessments provide a good foundation to assess the potential and ongoing risk of systems and data flows within them. Fines for breach of GDPR are substantial – up to 4% of annual global turnover or €20 million ($23 million USD).

Key questions to ask your company about being GDPR compliant

Put simply, the goal of GDPR is to protect the rights of people giving you their data. GDPR provides an opportunity for companies to enhance their existing systems. Technology can power much of the internal change needed to help companies be more responsive and GDPR compliant.

It’s important to understand that companies can never outsource their liability to a cloud service provider. Even if you hire a GDPR compliant cloud source provider, your company is still liable. Which is why we, at AppZen, are working diligently to be GDPR compliant so our global customers are compliant from an expense management data governance standpoint.

Wherever you are in the process of becoming GDPR compliant, start documenting your thought process today to show regulators you’ve been taking steps in the right direction.