Even though GDPR comes into effect on 25 May 2018, now is the time for organisations to take it seriously. It won’t only affect businesses operating in the European Union, but also companies doing business with EU citizens around the world. Organisations that fail to comply with GDPR can be fined up to 4% of the organisation’s global revenues – so it’s clearly something you should be taking seriously. Since the way we manage data will be affected, companies can prepare to comply by assessing what the new regulations mean for data handled within the business, who has access to the data, and what sort of procedures are in place regarding training.
Here are 5 actions organisations can implement today to help with GDPR compliance:
- Understand and Segment by Data Location
People in the EU have the right to enquire if and how their data is being processed. Therefore, organisations need a clear understanding of where personal data resides and what potential risks it is exposed to. They can do this by figuring out where the personal data is stored. You’ll need a detailed analysis of the data stored on corporate systems, filing cabinets, offsite archives and cloud-based services. Is it stored within an EU or US data centre location? If you are storing data in the cloud, you’ll need to ensure that the cloud provider is meeting the new EU regulations.
- Understand the right to erasure
The right to erasure, also known as ‘the right to be forgotten’, is a principle that dictates that a person can request for their data to be removed or deleted from the company’s systems. The right to erasure only applies in certain circumstances—like where the data is no longer necessary in relation to the purpose for which it was originally collected, when the individual withdraws consent to processing, and when the data was illegally processed. Organisations will need to be able to perform selective disposition, where an individual’s personal data can be easily found and extracted.
- Limit Employee Access to Personal Data
Since personal data passes through employees, contractors and suppliers, it’s important that all parties understand and comply with the same retention policies. To ensure GDPR compliance, limit which of your employees have access to personal data. For those who do have access, make sure that they are trained, and that there are documented procedures for handling personal data. Privacy guidelines must be documented and shared across the organisation. This is to make sure personal data can only be accessed by employees in designated roles or locations.
- Protect and Audit
To ensure GDPR compliance, you should be using these three techniques to protect data: encryption, pseudonymization and anonymization. At this stage in your GDPR compliance journey, you need to be able to produce reports to show regulators that you know where your personal data is located, you are properly managing the process of getting consent from involved individuals, and you can prove how personal data is used. You should also have processes in place to manage factors like the right to erasure, data breach notifications and more.
With better data governance practices, you can manage the risk exposure of your organisation when it comes to data privacy and avoid the wrath of GDPR regulators. If you’d like to know more about the new data regulations and how a SAP data management strategy can help you get ready for compliance, download the guide: