Get Ready for GDPR: Make Sure You’re in Good – and Compliant – Company
By Jorge Zelaya - Article on March 27, 2018
- Compliance and Risk
- Data Privacy
- Legal and Regulatory
A few weeks ago, we discussed The General Data Protection Regulation, known as GDPR – the massive regulatory framework that was approved by the European Union and will take effect May 25, 2018. The new regulation will change the internet as we know it forever, shifting the ownership of information from organizations back to consumers. Not only does it require European companies to take steps to protect consumer data, it also requires all organizations that handle data from European citizens to protect consumer data, even if that company isn’t based in the EU. And the penalties for not doing so are incredibly high: either €20 million ($24.5 million) or 4 percent of a company’s annual turnover.
This requirement has forced companies both large and small to take a close look at their data footprint – itself an incredibly complicated process. You have to get a comprehensive picture of what client data you have. You have to understand exactly how GDPR’s requirements apply to you in terms of protecting that data. And you have to make sure that you develop your cybersecurity procedures and defenses in such a way that, should a breach occur, you can easily and clearly explain to the authorities and affected individuals exactly what happened and how you complied with GDPR in handling it.
This is difficult enough to do in-house – but it becomes even more complicated when you consider that many organizations bring on vendors to help in all different kinds of capacities. And if you’re handed over your sensitive client information to this outside vendor and the vendor is hacked, you’re in trouble. But if the vendor is hacked and they’re not GDPR-compliant, not only have the legal implications multiplied – your organization could potentially owe millions in fines.
Ensure Positive Outcomes with the Breach Response Buyer’s Guide Download
As you continue to prepare for GDPR, keep an eye on what data goes out the door and don’t be afraid to ask tough questions of the vendors who have access to it. It’s important to make sure that they’re GDPR-compliant – not simply in order to avoid liability, but because you want the kind of people on your side who can help you navigate a breach should your organization find itself in one.
This also applies to any new organizations you bring on to help you manage cybersecurity concerns – whether it’s a legal team to help you get your arms around the complexities of the regulation, an insurance company that can help your clients recover in the event of identity theft or a forensics team you have on-call to help you deal with a breach. It also applies to vendors who have nothing to do with cybersecurity, such as marketing or communications firms. If they get their hands – or their eyes – on client data, they should be compliant.
There’s no denying that getting prepared for GDPR will require a good deal of work – for leadership, employees and even for consumers. But investing now in finding the right vendors will give your company an edge and prepare you for smooth sailing for decades to come.
In just a few short weeks, the internet landscape we've all become accustomed to will change dramatically. The European Union is implementing new regulation for online data collection. The General Data Protection Regulation, known as GDPR, will create new, far stricter rules on how organizations can handle consumer data.
Is there a standard of reasonableness? Is there a fair balance between reasonable security and reasonable business practices when it comes to preparation? Is your organization subject to GDPR and if so, are your current business practices GDPR-compliant?
The team at ID Experts recently released "10 Things to Consider before Buying Cyber Insurance." We developed the list based on our experiences working with breached clients and the information they have shared with us relative to insurance coverage. In a previous post I made note of finding a broker with a very thorough understanding of the policies available, and the p