With just one month until the General Data Protection Regulation (GDPR) goes into effect, how far down the 6-step route to compliance has your company traveled?
However, the upcoming implementation of the GDPR is not only something for the world’s biggest tech titans to address. The new regulation gives individuals based in the European Union (EU) more power over what data they share and how it is used by organizations.
“As a result, (the GDPR) will affect businesses based anywhere in the world that offer goods or services to, or monitors the behavior of, EU-based individuals and in doing so processes or holds data on them,” said John Hayward, Sitel Group’s EMEA legal counsel and recently-appointed EU data protection officer (DPO).
With this in mind, and with the deadline approaching, here are the six major steps a company should take to align with the new regulations.
Complying with the GDPR is an organization-wide endeavor. Business leaders must be on board and your workforce may require further training.
Do you know what information your organization holds, where it is stored, how it’s currently used and if you share it with your partners? The GDPR will make companies liable for how their subcontractors or partners treat or use data on your behalf. Are they all compliant?
One of the key measures of this new regulation is to stop organizations from collecting information “just in case.” Collecting potentially personal data that could hypothetically be put to use in the future (but serves no actionable purpose today) is no longer allowed – and all data that is collected is with consumer consent.
Consumers will be able to ask for their data to be altered, deleted or transported to another organization, so you need the procedures and the people in place to enable this action.
The GDPR aims to safeguard data. Therefore, to be compliant, companies should have a clear procedure in place regarding how they monitor, detect and report a data breach and what action they will take following its discovery.
The role of the DPO is to supervise the company’s compliance with its GDPR obligations. Not all companies need to formally recruit someone to this position. The GDPR states that a DPO is required when an organization carries out “regular and systematic monitoring of individuals on a large scale,” or “carries out the large scale processing of special categories of data, such as health records.”
Smaller companies that fall into these categories can look to an external expert to serve as their DPO.
No matter how far along the route to GDPR compliance your organization has traveled, companies should recognize that the GDPR presents business opportunities in addition to the compliance requirements.
“This regulation presents an opportunity to reconnect with your customers, to build trust and to promote transparency,” explains John Hayward.“By communicating with your customers what data you collect and how you use it, it fosters a greater understanding and, therefore, a greater scope for personalizing customer relations and the customer experience.”