Whether or not a business is located in Europe doesn’t matter when it comes to General Data Protection Regulation (GDPR) requirements; what matters is the data collected and if that data involves citizens in European Union (EU) countries.
If a business has EU clients and/or business partners, even if it is just one client or business partner, it means the company must comply with GDPR.
The deadline to meet compliance is May 25. To help you meet this deadline, here’s a checklist of things to do to get on track with GDPR compliance requirements.
- Ensure global data hygiene standards are being met and monitored by top management so that everyone is already taking the basic steps to keep data clean.
- Involve the departments and people within the company that collect, analyze, and/or otherwise make use of customers’ PII (personally identifiable information) to create a GDPR lead group.
- Conduct a risk assessment to find out what data you store and process on EU citizens; as well as manage your risks and uncover shadow IT that might be collecting and storing PII data (which could cause you non-compliance if not taken care of).
- Get a full picture of your entire IT infrastructure and inventory of all applications, anywhere data could be stored.
- Hire or appoint a DPO (data protection officer) that can ensure the protection of PII with no conflict of interest. Virtual DPOs, such as consultants, are an option.
- Create, review and/or update data protect plans to ensure that those plans align with GDPR requirements.
- Ensure that mobile devices, along with their apps, that access and store PII do so in a GDPR-compliant manner.
- Test your incident response plans to ensure they meet the GDPR requirement that companies report breaches within 72 hours.
- Set up a process for ongoing assessment to ensure that you remain in compliance with GDPR long-term and avoid non-compliance.
- If you don’t have the resources to fulfill all these needs, ask for help.
Some concerns that have been pointed out with GDPR involve things like what constitutes PII and if companies are required to have the same level of protection for things like individual’s IP address or cookie data, and information like name and address.
Unfortunately for companies and security teams, the GDPR leaves room for interpretation since it uses the term “reasonable” level of protection and doesn’t define that “reasonable” level. However, consulting with security experts and taking a holistic cybersecurity approach can both be helpful in being better prepared.
If you have questions or need help regarding the GDPR, give us a call!
Schedule you free consultation before the GDPR deadline on May 25, to meet necessary compliance requirements and in doing so avoid losing business or having to pay hefty fines for non-compliance.
Photo courtesy of docstockmedia