The General Data Protection Regulation will come into effect on the May 25, 2018.
GDPR offers a groundbreaking overhaul of rules first implemented two decades earlier, when the impact on the internet was a mere fraction of what it is today. For consumers, these new rules promise greater data protection. For businesses, however, the rules will require significant overhauls, as the cost of running afoul of rules can be stiff. Here are a few steps to ensure your business is in compliance.
Because any new set of regulations can be confusing and disrupt business, there are plenty of entities offering support. Consulting companies can provide the guidance businesses need to ensure they meet new demands. However, it’s important to seek out help early on, as demand might outstrip supply for compliance consultation. Furthermore, the sheer complexity of the GDPR means businesses might not be able to find a single entity for the entire process, so hiring multiple consultants might be essential.
Customer Information Audit
The scope of the GDPR is broad, as nearly all customer-related data will be covered. In order to meet its requirements, companies will need to ensure they know exactly what data they keep on customers and where it’s stored. Holding a customer information audit can help, and it’s essential to have people from across the company surveyed about what data is collected. It’s common for companies to hold a relatively small amount of customer data on an old computer system tucked away in a closet. Failing to account for this information can lead to problems.
Focus on Your Infrastructure
Although attention is often focused on the latest technology, many established companies still use relatively ancient tech solutions. If a mainframe server from the 90s, for example, still serves its purpose well, businesses might see little reason to upgrade. Before taking steps to come into compliance with new regulations, take some time to determine if your current infrastructure is up to the task. Although upgrading to new hardware and software is a major step, doing so can have additional benefits aside from GDPR compliance.
Despite its billing as tech regulation, GDPR compliance will also occur through humans. When customers request their data within a company, they must receive it within 30 days. Although automation can help, human interaction will likely play a major role within companies both large and small. Spend some time to train employees, and ensure they know what is expected when they receive various requests from customers. Again, consultation can play a vital role in developing and implementing appropriate solutions.
Prepare for Challenges
Even the best-laid plans can fail, and a responsible approach to the GDPR will involve prepping for difficulties along the way. One way to reduce the odds of fines is to show a good-faith effort to comply with requirements, and going beyond the bare minimum can put a company is a good position if difficulties arise. However, experts expect trouble across the EU; Forrester, in a report covering the GDPR in 2018, forecasts that 80 percent of companies will fail to comply during the year. Even more shocking, it predicts that 50 percent of companies will purposely fail to comply because it’s simply cheaper not to do so.
As with any new regulation, the GDPR might seem a bit ambiguous at first. In addition, confusing legal terminology and jargon can cause executives to misinterpret elements. Before establishing your legal basis for collecting information and drafting notices and consent-related text, it’s worth speaking with legal experts to ensure you’re on the right track. Consultants can often help in this field, but it might also be worth speaking with lawyers familiar with the law as well.
Your Data Protection Officer
While companies have hired data protection officers in the past, the GDPR provides a more precise definition of the role. Businesses may not be strictly required to hire a DPO, but having at least one person focused on compliance can be worthwhile even if it’s not mandatory. Deciding where a DPO fits in within the organization may present some challenges. Determine who the DPO will report to, and find out how to incorporate the DPO into your existing infrastructure. Ensure your DPO has the authority needed to implement policies and speak with upper-level management when problems arise.
The GDPR is being hailed as a significant step forward for customer data protection. Companies, however, will bear significant cost, and the roll-out of major regulations rarely go smoothly. By taking a proactive approach, working with experts, and ensuring your company operates in good faith at every step, you can ensure your business makes the transition as smoothly as possible.