GDPR

GDPR Is Here – Not Quite Ready For It, Are You?

Jun 13, 2018

The deadline for GDPR compliance has come and gone

After many discussions and warnings, the General Data Protection Regulation (GDPR) is finally here. This law applies to organizations that conduct business in Europe to protect confidential data for citizens in the European Union (EU). This is true for companies no matter where they operate.

If you do business with EU citizens, you must comply with the GDPR, which means that almost every major corporation and media group in the world is affected. Here’s the problem, though – the enforcement date for the new GDPR was May 25, 2018.

U.S. businesses often fail to plan and, instead, operate in a reactionary mode – this is no exception. Despite the buzz that the GDPR has been stirring up in the industry in the months leading up to the enforcement date, there are still many businesses that aren’t compliant.

Watch Our GDPR Online Training

Key considerations involving the GDPR include:

  • Businesses must provide the same high-level protection for people’s IP addresses and cookie data for names, addresses, and government identification information like National Insurance Numbers. (Cookie data is a text file a Web browser stores on a user’s computer.)
  • The conditions for consent are now more stringent. Companies can no longer use long terms and conditions in legalese. Consent must be provided in an easy-to-understand format and in plain language.
  • If a breach does occur, breach notification must be completed within 72 hours of first having become aware of it. Businesses must notify their customers, controllers, and authorities without delay.

“The mandatory 72-hour GDPR breach-notification period has security professionals at Amnet [concerned] because most businesses aren’t prepared,” said Trevor Dierdorff, Amnet founder and CEO, to the Colorado Springs Business Journal. “The United States doesn’t have a national data-breach notification requirement. However, most states do require notification within 30 to 45 days. Colorado’s requirement is less specific…”

Why You Need To Act Fast

The bottom line is that businesses that fail to comply could be fined 4% of their global revenue, up to $20 million. Plus, the consumers whose data is breached can file class-action suits against them for noncompliance.

Regulators in the European Union will likely impose the largest fines they can, and they’ll make an example of organizations that lack compliance–and will do so within the first 90 days of the breach. This is similar to how the U.S. Health and Human Services/Office of Civil Rights handle the same situation with their “Wall of Shame” and HIPAA non-compliance cases.

How Can You Catch Up With GDPR Compliance Right Now?

The following are steps your organization should take to prepare your technology for the GDPR.  

  • Perform a thorough inventory of your personally identifiable information where it’s stored–in onsite storage or the cloud. And determine in what geographical locations it’s housed. Don’t forget about your databases. PII is often stored in databases.
  • Undergo a Gap Analysis. This is a process where you compare your organization’s IT performance to the expected requirements. It helps you understand if your technology and other resources are operating effectively. By doing this, your provider of managed IT services can create an action plan to fill in the gaps. The right partner in IT will understand the GDPR and how your IT must support your compliance efforts.
  • Create an Action Plan. Your partner in IT services should document a detailed action plan for how to use technology to meet the GDPR if you experience a data breach. This should include individuals’ roles and responsibilities. Conduct tabletop exercises to practice how the plan will work with specific timelines and milestones.
  • Double-check your data privacy standards. If you don’t have a Technology Solution Provider, then you need one for this. Data protection is key for any size of an organization. Consumers have the right to have their data erased if they want. This is called “the right to be forgotten.”  This is a concept that was put into practice in the European Union in 2006, and it’s a part of the GDPR. You won’t be able to do this if their data is stolen.
  • Be sure to document and monitor everything you do related to GDPR Compliance. This includes any changes or upgrades your Managed Services Provider makes to your IT environment. You may need to demonstrate that you’ve done your due diligence when protecting citizens’ private information and practice “defense-in-depth” strategies where you use multiple layers of security controls regarding your technology.

“Smaller businesses with no presence in Europe may not need to be concerned with GDPR compliance,” Dierdorff told the Colorado Springs Business Journal. “However, an increased focus on cybersecurity is a must regardless of your size. Breaches of your business data can be devastating. Most small and mid-sized businesses in our region are more vulnerable than they realize.” 

For more information about the GDPR and how to get compliant quickly, contact the Amnet team of security professionals at (719) 442-6683 or info@amnet.net.