OK, we’re not talking about Europe of 80’s music fame. However, it’s the same countdown idea and unfortunately, five minutes of synth keyboard and catchy melodies won’t quite cut it this time.
There is a lot of work to be done for data center operators that are staring down the May 2018 EU General Data Protection Regulation (GDPR) deadline. The first challenge might seem daunting, but it pales in comparison for the legwork U.S. companies need to do after it.
The first challenge: None of this was budgeted. So now companies must find budget partway through their fiscal year. According to a PwC survey, 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million. This is a lot to ask for from companies that have a hard-enough time budgeting in the first place.
Second challenge is the brutal one: Getting a handle on everywhere data may reside. It’s like asking to pick up every grain of sand from the car seats after a nice day on the beach. Every company relies on data to some extent, and it’s in many different places. Data center operators have the most insight into this, but it still provides a tough task ahead.
GDPR will be a seismic shift hitting information management and privacy in two major ways:
- Transfer control of private information to consumers, away from companies that collect and process this information. For example, GDPR requires that EU citizens have to ‘opt-in’ to data collection as opposed to most situations now where it is collected by default and citizens have to ‘opt-out’ to stop it.
- Changes the landscape in how that information is kept secure, and reporting requirements are much more stringent. An example being the 72-hour breach notification requirement.
Taking the correct actionable steps for this May deadline is crucial for preparing your organization. Following the checklist below will get your company in a good place to continue this journey under GDPR ordinance.
What do I do now?
- Conduct a risk assessment and gap analysis: find where your data is stored, transported and processed and uncover all shadow IT.
- Set a sense of urgency that comes from top management – boards of directors and C-level mandates.
- Involve all the stakeholders, not just IT. All business units that use and store data are in scope.
- Hire or appoint a Data Protection Officer (DPO).
- Create a data protection plan.
- Create a plan to report your GDPR compliance progress.
- Implement measures to mitigate risk.
- Test incident response plans – 72 hours for breach notification is a short time, compared with the month or more of most current incidents.
- Set up a process for ongoing assessment – compliance is a continuum, not a point in time.
Before you start your journey, we’ve provided a few recommendations as you plan out your GDPR Compliance project.
Recommendations for U.S. Companies
1. Determine if you’re a data controller or a data processor. This will shape your preparations. The regulation breaks out responsibility for protecting data into two roles – controllers and processors – and says that both parties are liable for upholding data subject’s rights. In some cases, you can be both controller and processor, or a controller that has multiple processors. Understand the GDPR definitions and get the advice of your legal team.
2. Audit your data. This is one of the most time-consuming tasks, but it reaps multiple benefits. Find out what data you have, where you have it, why you have it, how long you need it and any current processes for deleting it. Can you get a single view of your data subjects? There are database solution providers who can help you do this. A single view will be necessary to be able to “forget” (delete) a data subject’s info from everywhere you have it stored.
3. Work with your legal team and GDPR experts to determine which EU member state will be your supervisory authority. You will need to appoint a representative for your company who is established in your EU supervisory country. This person is the point of contact for all communications with the GDPR supervisory body.
4. Redesign what consent and disclosure looks like for your customers. Data subjects will need to check a box or its equivalent for every single use-case you have for their data. This includes profiling and big data purposes. They need to be able to select those they agree with and decline those they don’t, and you need to be able to comply and track their preferences in your systems.
5. Audit your third-party providers and re-evaluate service level agreements. Remember, if a third-party is not able to prove their GDPR compliance, the work they do for your EU data is illegal.
6. Consider where your data centers should be. Some companies are moving data centers to the EU to comply; some cloud-based database providers can easily discern and segregate EU data for you.
About the Author
Greg Reber is the Founder and CEO of AsTech, a leading information security consulting firm. Reber was among the first to recognize and address the risks presented by consumer-facing applications, and built AsTech’s reputation over 20 years as a leader in risk management.