The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
GDPR goes into effect May 25, 2018, and while GDPR is an EU-established protocol, it affects any business worldwide that collects data on EU citizens. Non-European enterprises providing any form of goods or service to European citizens will need to comply with the new mandate.
Does your company need to be GDPR-compliant? Is your company compliant? While you may think it is, a recent research report shows only 2% of companies that believe they are compliant actually are, in respect to meeting specific GDPR provisions. In the end, what we find is that many companies are unprepared for May 25.
The aforementioned research revealed that 48% of companies that stated they were GDPR-ready did not have adequate visibility over personal data loss incidents. As high as 61% from the same group revealed they have difficulty identifying and reporting an incident within 72 hours of a breach, which is mandatory when there is a risk to data subjects.
Much of this unpreparedness is in part due to an insufficient understanding regarding the provisions of GDPR. Penalties for non-compliance are stiff, with fines as high as $21 million or 4% of global annual turnover, whichever is greater. These risks are raising red flags, with a study from Veritas revealing that 86% of companies surveyed worldwide have expressed concerns over non-compliance, both in terms of penalty fees and damage to their brand image.
This infromation highlighted in this guide should not take the place of or supplement our current contracts and policy documents. We simply want to provide some answers to the many questions we have received and speak about the importance of how to comply with this law. You should always contact a qualified professional if you have any legal questions.
Steps to GDPR Compliance
The steps outlined below needs to be part of a collaborative effort between companies and their managed service provider, like Hedgheog.. While MSPs are also responsible for conforming to GDPR guidelines, it’s a mistake for companies to ignore GDPR and believe that their MSP can completely take the responsibility off their hands.
1. Perform Data Privacy Assessment
Your organization needs to conduct an initial assessment to identify compliance shortcomings. Customers should understand how their data is protected as it traverses through various networks and storages.
2. Acquire Data Subject Consent
Companies must have client consent before processing their personal data. Under GDPR, the consent must be voluntary, and clients have the right to revoke it any time. Consent must also be recorded and stored.
3. Protect Data Subject Rights
At Hegdehog, our administrators must allow our clients’ customers to access their data upon request. We would only do this while working in close coordination with our customers. Our customers have the right to transfer or make corrections to any such data. We are also required to respond to requests within a specified timeframe, which is usually within 30 days.
4. Satisfy New Obligations
Under new GDPR guidelines, all organizations are obligated to inform clients of a data breach within 72 hours. Companies who work with Hedgehog need to coordinate with us if a breach to their systems has occurred. GDPR policy also states that customers can hold both the company and its MSP liable.