The terms ‘GDPR’ and ‘heavy fines’ are being used in the same sentence. Let’s not get lost in the hype and stay focused on privacy best practice.
The introduction of the European Union’s General Data Protection Regulation (GDPR) in May has caused quite a stir within the tech industry. Any company which houses personal data about individuals in the EU is potentially exposed to a hefty fine in the event of any failure to comply with the GDPR. If you have been a bit slow to getting your head around the impact of GDPR, start with these simple steps to properly assess any potential exposure.
1. Start at the source. GDPR has attracted a flurry of media attention and hundreds of articles (including this blog!) have appeared from all over the Web expressing a myriad of opinions on the topic. When this happens, it’s always good to go to the source of official policy and information to determine if the regulations apply to your business. Here is the EU’s GDPR website on the data protection reforms and what they mean for most businesses:
2. Work to the highest standard. When managing information digitally, it is easy natural to think about doing things in silos, where you segment your approach based on consider specific regional requirements. However, as attention on data protection continues to build and data protection regimes converge, it is often easier and better for your customers to treat all information you hold in the same manner – and to make sure that such information is treated in accordance with the highest data protection standards.
3. Mitigate unnecessary collection risks. Another big question resulting from GDPR is: are we collecting more information than we actually need? It’s time to review how much personally identifiable information you are collecting and whether the value of the information (now and in future) is worth the risks. It may be worth giving particular consideration to whether any “sensitive” personal information, such as health information, is collected and, if so, if collecting such information is really necessary. With Australia also recently unveiling its mandatory breach disclosure scheme, now is a good time to undertake a data security audit and determine what personal information might be at risk.
4. But we already secure sensitive data. In that case, good. The GDPR requires data protection “by design” and “by default” and sets out certain practices that might meet this requirement including anonymising personal information. In this sense, GDPR is another driver to improve IT security practices in general, which is a positive step even if your organisation is not required to be GDPR compliant. This is similar to how the PCI Standard includes a number of prudent recommendations for improving how security and IT are managed, even if you don’t store credit card information.
5. Know your third-party risks. In addition to your internal practices, make sure any information you share with third parties does not breach any local or international regulations. The GDPR aims both to prevent the personal data of individuals in the EU being “traded” or used without an individual’s consent and to ensure such personal information is adequately protected even where it is transferred to third parties or overseas. Be crystal clear on what personal information your organisation may want to transfer to third parties and what they are permitted to do with it.
The new GDPR and Australian data breach disclosure scheme indicate governments around the globe are prepared to act to help protect people’s privacy. But such increased focus on privacy should only be cause for concern if your organisation is not prepared or does not already have a reasonable security system in place.
Start with assessing the requirements and working towards compliance, which in most cases you will find go a long way to improving how your organisation manages sensitive information.
For more information or advice on how we can help you with the GDPR and NDP, book in for a 20 minute chat: