General Data Protection Regulation (GDPR), familiar with it? It’s Europe’s new data privacy regulation, approved in April 2016 and rolling out May 2018, just 8 months from now, hence the buzz.
This hot topic has been a source of stress for many enterprise and global organizations who are well underway with implementing new systems and processes to ensure compliance and data protection. Then, there are the 37 percent of companies who are not sure if they are subject to compliance and might be taking the “wait and see” approach. So how do you know if your customer has to comply with the regulation?
- Do they have customers in Europe?
- Do they have any employees in Europe (even just one)?
- Do they collect/analyze data on anyone in Europe?
If the answer is yes to any of the above questions, they are required to meet the requirements of the new regulation. The cliff notes have been published by almost every media outlet since before the regulation was approved. Here are a couple main points that companies should be aware of:
- Consent
Implied consent is no longer enough, specific, clear, informed consent is required– data processing must be agreed to and permission can be revoked at any time. - Accountability and Governance
Too many companies have little knowledge of all places in which their data resides. Data controllers are responsible for reviewing current environments and ensuring data protection, among other things. - Individual Rights
From data portability, the right to be forgotten (erasure), the right to be informed, the right to access and the right to object, individuals in the EU have many more rights to their personal information and companies are required to comply within a shortened time frame. - Data Breach Notification Period
Companies must report any data breach “to the relevant supervisory authority without undue delay and within 72 hours of awareness”. Companies are required to have a robust breach detection process in place. - Scope of Companies
Many businesses not subject to the DPA 1998 (UK’s Data Protection Act) will be required to comply under the new regulation. Don’t overlook the regulation, especially if you answered yes to the questions above.
Compliance with GDPR is similar to HIPAA or SOX compliance here in the states, where healthcare and financial companies have to redesign process, infrastructure, data governance policy and trainings to meet their customer’s needs.
So, how do you get started with your customers that need to get compliant now? Make sure they have the right vendors in place. Ask specific questions to make sure the vendor can meet all their GDPR needs.
- Can you quickly identify and isolate EU citizen data? What is your process for this?
- Do you have a process for erasures (right to be forgotten)?
- What third parties, if any, have access to data stored in your environment?
- How do you monitor and process who accesses data?
- How is data secured now, how will it be secured in the future?
- Are you prepared for a data breach? What is your data breach protocol?
The GDPR is a welcome change requiring companies to make data protection and security the center of their business strategy. If businesses fail to comply, they will be hit with a hefty fine, anywhere between 2 to 4 percent of the company’s annual global revenue.
Many of your customers are well underway with preparations, make sure you are up to speed and having the right conversations when recommending new solutions or talk to a TBI Solutions Engineer who can help you.
Solutions we recommend for European customers:
About the Author
As Marketing Manager at TBI, Rachel Bruce is responsible for TBI's digital campaigns and marketing systems. She develops strategic programs to cultivate leads, enhance agent and service provider relationships and enable sales. In addition, Rachel collaborates across multiple departments to provide valuable resources for TBI's agent partners and customers. You can contact Rachel at rbruce@tbicom.com or connect with her on LinkedIn.
