New data protection regulations are coming to the European Union and any business with access to the data of EU citizens should waste no time preparing for the changes ahead.

On May 25, 2018, the General Data Protection Regulation (GDPR) will become law. Regarded as one of the biggest legislative developments within the data protection and privacy space, GDPR will impact many businesses – potentially including those located outside of the EU – that hold personal data on EU residents.

In the past, EU businesses haven’t been required to disclose security breaches. Once the GDPR goes into effect, that will change. New accountability obligations coupled with tighter restrictions on data aim to make the privacy and protection of personal information a priority for every business.

However, there’s plenty of work to be done as May 2018 approaches.

According to a survey from AvePoint, only 26 percent of multinational organizations keep records of data processing and transfers. That’s problematic, especially considering the maximum fines defined by GDPR can be as high as the greater of 20 million euros or four percent of a company’s global annual turnover.

With less than a year until GDPR becomes the law of the land, here’s what businesses can do to put themselves on the path toward compliance.

Analyze the data

Organizations with access to data from EU citizens can start off by taking stock of where personal data is being stored as well as what it’s being used for. Keeping a close eye on sensitive information might make it easier for businesses to work toward compliance mandates later on. In some cases, these organizations may examine the data and realize they no longer need it, reducing the risk of fines and other penalties tied to noncompliance.

Put security policies to the test

The right tools can go a long way toward ensuring personal data doesn’t fall into the wrong hands. For example, the Privacy Impact Assessment (PIA) may provide a detailed look at how data is shared throughout a company and maintained for years to come. These types of assessments help shed light on potential risks as well as ways in which security systems and policies can be improved moving forward.

Go on the defense

Equipped with their risk evaluation, the next step is for businesses to implement technical measures to ramp up both security and privacy. From encrypting devices and securely wiping old software to archiving needed emails containing personal data, there’s no shortage of ways to protect sensitive data. Regardless of which avenue they choose, it’s crucial that businesses take the time to review the effectiveness of each method.

A survey conducted by FireMon found that more than half of all IT professionals have experienced a firewall configuration change that opened a potential security breach and ultimately caused business downtime. By carefully evaluating each technical measure put in place, organizations can ensure customer information stays secure.

Know customer rights

Under the GDPR, EU citizens will have more control over their personal information than ever before. As a result, businesses must be prepared to get their data access and deletion policies up to speed. Moving forward - except under certain conditions such as public interest in the area of health - customers may enjoy the right to erase any and all personal data being held by a company.

Similarly, the right to access and correct personal records will also be made available to EU residents. Organizations that make a concerted effort to review and update their data policies will be better positioned to provide the data management customers will come to expect.

Given the new requirements of the GDPR, businesses ought to take another look at the way data is collected, processed and managed. From analyzing consumer data to implementing technical measures, organizations that follow the four steps outlined above will be on the path to achieving compliance and protecting the private information of EU citizens long after the GDPR goes into effect.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Tony Ball

Tony Ball

Tony Ball is senior vice president and general manager, identity access management, at Entrust Datacard.