What US companies need to know about GDPR before May 25, 2018

With the rise of cybercrime, it is becoming more important to consider consumer protection and brand reputation in information security design in the United States as Europe implements the General Data Protection Regulation next week.

It’s a big change that every multinational company that has dealings in the European Union will need to prepare for.

On May 25, 2018, the General Data Protection Regulation (GDPR) comes into effect, and it will govern how multinationals manage their data processing and protection policies. Failure to comply with these regulations could result in costly penalties, not to mention damage to reputation.

What is GDPR, how will it apply to U.S. businesses doing business in the European Union and are there penalties for non-compliance?

Over the past couple of months, there has been a lot of talk about GDPR, which is to be rolled out across Europe and which will impact any organization that stores the personal data of EU citizens. It is the culmination of four years of efforts by the Council of the European Union, European Commission and European Parliament to update data protection, especially in areas where people give permission to organizations to use their personal data in exchange for no-cost services.

The regulation has taken years to come to pass but was approved officially by European Parliament on April 14, 2016. Any organization that stores the data of European citizens has until the May 25th deadline to get their GDPR houses into order. After this date, penalties will be issued to any company that isn’t working in compliance with the guidelines.

While the scope of GDPR is far-reaching, the most important considerations for organizations that process or collect personal data on EU citizens include:

?            Identifying GDPR data and tracking which areas of this data you share with external organizations

?            Designing new GDPR-centric processes that ensure the protection of all relevant data

?            Notifying the relevant supervisory authority of any data breach within 72 hours

?            Informing stakeholder who you will treat their information and make it clear how they can request information about the data you hold on them

?            Be ready to disclose details of security breach incidents with customers. Depending on the severity of the breach, you may be forced to share this information.

Organizations need to ensure that their data processing activities are carried out in accordance with the data protection principles set out in the GDPR.

To manage application services from a non-EU location, IT services organizations should pay close attention to and align with:

• Organization data classification policy covering personal data classification. Internal policies should adopt principles of data protection by design and data protection by default.
• Procedures to ensure that all contractual clauses with clients related to personal data, security exhibits are validated internally before the contract is signed.
• Implementation of DPO (data protection officer) organization, tool-based approach to manage detailed mapping of all personal data processing.
• Procedures in place to check the correct implementation of personal data protection policies and transfer of personal data policies in compliance with client contractual requirements.
• Training programs to onboard teams, to raise awareness on personal data issues and regulations
• Strong enforcement of Identity access management policy, tools and processes for databases containing personal data, backed by strong authentication and audit procedures.
• Implementing tools for masking or applying pseudonyms to personal data.
• Procedures to ensure personal data protection during encryption, archiving, or deletion (data lifecycle management).
• Incident management process to adequately report, respond and mitigate data breaches. These policies and programs should be kept up to date and tested regularly to provide timely notification (within 72 hours of becoming aware of it) to regulators and consumers in the event of a data breach.

GDPR impacts data processors and data controllers alike, bringing data protection practices to the forefront of business agenda. For organizations to remain GDPR compliant, they must continuously monitor the effectiveness of the measures implemented and continuously improve them by incorporating best practices of personal data protection.