GDPR and the Role of IT
The General Data Protection Regulation, otherwise referred to as GDPR, is in effect as of May 25th, 2018. It is a legal framework which sets guidelines for processing and collecting personal information of people that are in the 28 countries in the EU (European Union).
Any business that processes personal data is now required to disclose any data collection. Organizations must also declare the lawful basis and purpose for processing the data. Additionally, businesses must also report how long the data is being retained and if it being shared with a third-party or with anyone located outside of the European Union.
It is the right of the user to request a portable copy of the data, in a common format, collected by the processor. The user has the right to have his or her data erased under some circumstances. Authorities who are considered “public” as well as any organization whose main activity is centered around the systematic or regular processing of personal data will be required to employ a DPO or Data Protection Officer. The DPO will be responsible for managing GDPR compliance. Organizations will be required to report within 72 hours any data breaches in the case that it will have an adverse effect on the privacy of the user.
GDPR’s Impact on Small Businesses
GDPR is applicable to every organization that processes and holds European Union resident’s personal data, no matter where you are operating your business across the globe. Most businesses do not realize that even if you are outside of the European Union, the General Data Protection Regulation still applies.
GDPR is a regulation, not a directive. This means that it is not mandatory that national governments pass legislation. It is directly applicable and binding. To meet the GDPR compliance requirements, an organization must offer goods or services to, as well as monitor the behavior of residents in the EU.
No Question About It: GDPR Matters and Must be Addressed.
Architects, engineers, and IT experts are typically already experienced and skilled about providing details regarding data security for auditing purposing as well as other regulatory requirements. Keep in mind that GDPR goes a step further. It requires organizations to capture the purpose for the stored data, not just the data itself. GDPR questions whether the purpose is considered compliant.
Leaders of small and mid-sized businesses need to take a deep dive and look at the organizations’ people, processes, system and applications. There is a two-part process for getting ready for GDPR compliance. The two parts are designing the machine for compliance and getting it running. Designing the machine refers to designing processes and identifying roles. It also means building an understanding of end-to-end processing activities for the personal information of individuals in the EU. This will enable teams to meet GDPR obligations.
Here is a handy 5-step process to get started and comply with GDPR:
- Understand the mission and model IT efforts: Get the IT folks together with the risk and compliance team to create a mission. Ask both teams what needs to be done to accomplish GDPR compliance. Identify how personal data is captured, why, and with who at the organization.
- Identify shadow IT with integrations and algorithms: Shadow IT is defined as a technology system and/or solution that is built and utilized within a business without explicit organization approval. It is difficult to prevent information from being distributed, copied or saved if the technology team is not aware it exists. The key is casting a wider net that goes beyond the IT department.
- Perform an Analysis of Compliance Risks: In steps one and two, business processes, application, cloud hosting providers, etc. should be an element on a map. Now is the time to analyze the compliance risks of each piece of the puzzle.
- The Roadmap Ahead Looks Brighter: Based on research and analysis, some business processes will require tighter controls. Or, perhaps replace or discontinue a process altogether. There may be an introduction to new roles and controls. This should include a Data Protection Officer (DPO) role, process for accessing personal information, rectification, transferring, erasing, and/or notification of breaches as well as assessments of impact.
- Reporting and Monitoring Progress: By taking the aforementioned steps, you’re on the path for success when it comes to GDPR compliance. Be diligent and you’ll reduce GDPR headaches later.