When the EU passed its General Data Protection Regulation (GDPR), the May 25, 2018 compliance deadline felt far away. Not so much anymore.
Many of you might be thinking, “I’m not based in the EU, so what does this have to do with me?” If your company handles the personal data of any European Union citizens, it applies to you. If it doesn’t apply to your company, the ideas and regulations it provides are good business practice, whether you’re required to adhere to them or not.
To prepare for GDPR going into effect in just under 100 days, let’s explore what it is, how we can live up to its requirements, and three things your company should do to prepare.
What is the GDPR?
The GDPR applies to organizations inside the EU, of course, but also to any based outside the EU that provide “goods or services to, or monitor the behaviour of, EU data subjects.” It applies to any companies that process or hold personal data of EU residents, no matter where those companies are based.
It defines personal data as any information related to a “natural person” (“data subject”) that can be used to directly or indirectly identify that person. This definition includes obvious things like names, photos and bank information, and less obvious things like social media posts and IP addresses.
The GDPR divides companies into two groups: data controllers that determine the purposes, conditions and means of the processing of personal data, and data processors, which process personal data on behalf of the controller.
What does it all mean?
For data controllers, there is a strict set of rules that are detailed on the GDPR website. As our customers already know, their customer data is automatically encrypted, and they manage the keys – we don’t have access to their customer data at any point, by design. In that scenario our customers are primarily responsible for compliance because they are the only ones with access to their customers’ data, and know exactly how it’s processed.
That being said, here are three things your company should do:
Make sure you know your assets.
Every organization should know exactly what data they have and where it’s stored. It’s good business practice, aside from any regulations. If you have to be GPDR compliant, take this opportunity to take inventory of all your assets and where they reside.
Get your encryption keys.
Make sure you have all of your data encryption keys. This is true for any “data processors” you deal with. Having your own encryption keys ensures that no third-parties, even if they are trusted service providers, have access to your customer.
Confirm you have control of your data.
In order to adhere to the GDPR, it’s important that you know your data and also control it. This means being able to import and export data at any time. You should be able to remove all of your data from a provider’s network at will, and know that the provider will protect your data without being able to disable it.
Again, these are good practices to undertake as part of your normal business operations. So, why not take the opportunity, as the GDPR takes effect, to do a data audit and make sure you’re in compliance. Whether you do business in Europe or not, the principles will help your data, and your customers’, be more secure.