In Europe, we are already living in a world post-GDPR where we have upgraded our technical capabilities and data processes to ensure we are operating in a GDPR-friendly way. Though there are various interpretations of what this means.
In the U.S. the problem is much harder as we are trying to understand if we are doing business with people based in Europe and protected by GDPR regulations, and therefore how we meet these requirements without annoying our predominantly U.S. based audience. However, a recently announced new California Consumer Privacy Act and other ongoing US discussions such as the ones being carried out by the Trump administration mean U.S. based businesses need to start preparing to adopt tighter data controls.
So what do U.S. based businesses need to be thinking of to get ahead of this data regulation?
Review technological capabilities and make sure good data management practices are in place
GDPR centers around the rights of individuals (data subjects), giving them much more control of their own data. As such organizations need to implement good data management practices to understand and manage their data.
Key technical considerations are to make sure you can handle data subject requests such as the right to be forgotten and the right to access in a timely manner, and this means knowing and understanding where all the personal data on the data subject resides and being able to extract it in a machine-readable format.
Additionally, if you are in a regulated industry you must also consider whether the data related to the data subject is protected under other regulations, that may prevent it from being shared or deleted.
And, of course, you must take measures to protect against data breaches, and in the event of a data breach be able to identify and notify supervisory authorities within 72 hours.
Businesses operating globally will need to keep track of these regulations to keep doing business
Although it is formally an EU regulation, there is no mistaking the global reach of GDPR. GDPR will regulate data on EU citizens wherever they are located in the world, and EU businesses have to apply GDPR to all personal data, irrespective of where the data subject resides. GDPR represents a sea change in data protection and is causing other countries to consider their own data regulations (e.g. the new California Consumer Privacy Act) and companies will have to keep up.
Whether you’re in a regulated or unregulated industry it’s essential to have a good plan in place for handling, not just personal data but all data within the organization, this will enable your organization to effectively handle this regulation and others which will follow.
A lot of organizations hold data in disparate systems, not all of which are under their direct control.
We’d recommend carrying out an audit to understand, identify, locate and categorize all personal data across the organization. The results should give you a heat map of risk areas where personal data is concentrated, and this is where your efforts should be focused.
Organizations should then put rules in place to determine the relevancy of all Personally Identifiable Information (PII). This will help ensure that only necessary personal data is stored, and later erased once it has outlived its purpose. All instances of personal data consent should be recorded in a reportable form.
Data Controllers need to put policies and procedures in place to protect personal data from loss, alteration or unauthorized processing. These should be disseminated to all Data Processors and should cover criteria for both the retention and deletion of personal data.
Data Governance/Privacy by design:
In an ideal world, personal data should be stored in a separate, centralized location and access given only for specific purposes, but this isn’t always possible. Data privacy by design is a key feature of the regulation and putting technical measures in place will demonstrate that your organization can mitigate the risks involved in processing personal data.
It’s important to take action now to gain control of your data as taking a pragmatic approach to data management will not only stand you in good stead for complying with these data laws but also makes sense for enhancing your business agility.
For more info check out our whitepaper on GDPR implications for financial services businesses.