23 May

7 Steps To Ensure Your Business Is GDPR Compliant

Have you procrastinated and waited until the last minute (or past the GDPR deadline) to get your company’s data in order? We’ve broken it down into 7 steps to make sure you’re compliant:

Document Existing Data Policy

If you haven’t already, use this as a reason to get organized when it comes to your data. Create a folder on your company’s file system that will house all of the details regarding your data collection, processing, and storage.

We recommend starting with a data map to outline what data is collected by your business and where. From there, separate the data into categories so that you can more easily identify the lawful basis for processing each category of data.

Document diligently, as this could serve as proof in your defense if needed.

Understand The GDPR Requirements

Involve key stakeholders and executive leadership to place a high priority on cyber preparedness. These may include representatives from marketing, finance, sales, operations and any group that collects, analyzes, or makes use of customer data.

Make sure that everyone is on the same page in regards to the requirements of the new regulation and how your business must move to adhere to it.

Some key questions to ask:

  1. How will you have users give consent in accordance with the regulation?
  2. What is the process for deleting data?
  3. How will you ensure that data is truly deleted across all systems?
  4. How will you transfer data if requested by a consumer?
  5. What processes are in place to ensure that the person requesting changes is, in fact, the person they say they are?
  6. What is the outreach plan in the event of a breach?

Hire Or Appoint A DPO

Determine if you can simply add these duties to an existing position or if you’ll need to hire a new team member to do the job. Virtual DPOs are also an option as the regulation allows for a DPO to work for several companies as a consultant.

Identify And Correct Non-Compliant Processes

Compare your data audit to the requirements of the GDPR paying specific attention to privacy, rights and processes, data requests, data processing, and consent.

A large part of the compliance may be setting incident response plans. Under the GDPR requirements, businesses must report a breach within 72 hours of the incident. Make sure your team knows how to respond in the event of a security breach.

Conducting a risk assessment will also allow you to uncover Shadow IT. Matt Fisher, SVP at Snow Software, likens Shadow IT to an iceberg. “The iceberg effect poses a serious risk to organizations’ GDPR compliance as many are focused on the 10 percent of applications holding personal data that are visible at the water’s surface,” he says.

Other internal tasks to take on include:

  • Create a Password Policy.
  • Ensure your website is HTTPS.
  • Create a Data Retention Schedule and Destruction Policy.
  • Contact your contact base to prompt them to “opt in.”
  • Update your website’s Privacy Policy.

Communicate With Partners And Vendors

The risk of Shadow IT makes it critical to communicate with your third-party vendors and partners as well. Under the regulation, both data processors and controllers are liable in the event of a breach. That means, if you use a separate data processor who is not in compliance, your business is on the hook as well.

Report Your GDPR Compliance Progress

In Article 30 of the GDPR, it requires companies to complete the Record of Processing Activities (RoPA). This helps companies take inventory of risky applications and enables them to have a clear picture of how data moves throughout their departments and software.

Ask For Help (If Needed)

Feeling a bit overwhelmed? Ask for help. At Softsys Hosting, we’re fully prepared to help make sure you feel confident in your data storage and protocols.

23 May

The GDPR: Explained

As we near the enforceable date of May 25th, it seems that GDPR is the buzzword of the month. But what is it? And, more importantly, what does it mean for your business?

Doing your research and preparing now will not only help you stay compliant yourself, but also answer any questions your clients have about how you’re handling their personal data.

The Overview

In short, the GDPR stands for the General Data Protection Regulation and is a regulation in the European Union law. Developed in order return the control of data back to consumers, it also serves to simplify the regulatory environment around the world by simplifying and unifying the regulation within the EU.

While it may seem to be a recent focus for businesses and in the press, it was actually adopted over two years ago – in April of 2016. The renewed exposure is due to the fact that the regulation becomes enforceable on May 25th, 2018, after a two-year transition period.

The Details

The GDPR protects consumers’ personal data, which could be a wide-ranging list depending on how the governing body chooses to enforce it. In general, the GDPR aims to guard basic identity information (name, address, ID numbers), web data, biometric data, health and genetic data, racial or ethnic data, sexual orientation, and political opinions.

In order to protect that data, the regulation outlines the lawful basis for processing, definition of consent, guidelines to follow in the event of a data breach, among other requirements for compliance.

One example of a GDPR requirement is the right to be forgotten. This compels companies to erase personal data upon consumer request. The regulation also requires that data be stored “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

Additionally, some companies are required to appoint a Data Protection Officer to oversee GDPR compliance and data security. The International Association for Privacy Professionals estimates that nearly 30,000 companies will need to hire a DPO.

Potentially the biggest area for concern lies in Articles 25 and 32. Here, the GDPR outlines the expectation of companies to be able to provide a “reasonable” level of data protection. However, the definition of “reasonable” is open to interpretation by the GDPR governing body.

The Impact

You may be thinking, “Whew – I’m not based in the EU, glad I don’t have to worry about compliance.” You may be right. However, if you have a presence in an EU country, process personal data of European residents, or have more than 250 employees, you are required to comply.

Furthermore, the GDPR holds both data controllers and data processors liable for compliance. That means that if you’re using a third-party processing service that is not in compliance, your business is not in compliance.

Ultimately, the goal of the GDPR is to force companies to change the way they process, store, and protect personal data. As a result of these requirements and fines, nearly 85% of US based companies believe that the GDPR will put them at a disadvantage to European companies, according to a study by Ovum.

The Enforcement

Governed by a group of Supervisory Authorities (one for each member nation), the GDPR gives these representatives the ability to conduct audits, review certifications, issue warnings, impose limitations, suspend data flow that is found non-compliant, and impose administrative fines.

Those administrative fines can be extremely high – in some cases as much as 4% of a business’ global revenue or $20 million, whichever is higher.

Management consulting firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year. Don’t let your company be among them!