In less than a year, on May 25 2018, the EU General Data Protection Regulation, will introduce a comprehensive, EU-wide, binding ruleset for storing and handling personal information.
All 510+ million EU residents should feel stoked about GDPR. However, many businesses all over the globe with EU operations have yet to realize the stakes. The deadline for figuring out compliance from scratch, including partners and service providers, feels increasingly like a pair of tight jeans after a good, long dinner.
At Miradore, we’ve been preparing for GDPR for a while. With this post, we want to provide a glimpse at the basics of what GDPR means for cloud companies like us – and for many of our customers.
Please note that this article isn’t intended as legal advice.
1. Check and update your privacy policies
Companies must disclose what information is being collected and explain the reason why it’s done. Note that this concerns third party services too, including advertising, web and app analytics, and contact forms.
2. Be prepared for user data requests
Be prepared that individual users can request information about all the data you have collected about them. You have to be able to fulfill and report back these requests within a reasonable amount of time. In addition, companies must also be prepared to remove all information they have about individuals upon their request.
3. Update the security documentation of your solutions
GDPR requires that all companies have documentation of how personal data is stored and transferred in their services. This means that all security documentation will need to be amended to cover the required topics.
4. Consider the location of data
Companies need to consider where customer data is stored and processed, not only in terms of database design, but also geographically. Customer data stored inside the EU doesn’t have to be declared as being outside EU jurisdiction in privacy policies. However, transfers outside the EU also require a destination with adequate data protection in the local jurisdiction.
5. Carefully define and document your internal security roles, responsibilities and processes
Companies that handle large amounts of personal information need to appoint a Data Protection Officer (DPO). The DPO must be a masterful communicator and be skilled at training others. Expert-level knowledge of data protection legislation is a must. This person will keep a watchful eye on company policies and affairs, covering employee and customer data alike.
Additionally, this person must have the faculties to act as a contact point for authorities. It will also be up to the DPO to oversee initial requests related to personal information that individuals may submit.
6. Train your employees
The new legislation requires that dos and don’ts are defined for employees in comprehensive training. It’s in every company’s interest to support their employees in understanding best practices. Routine procedures ensure readiness to act quickly. The need for nimbleness doesn’t only apply to reporting stored information: in the case of breaches, GDPR recommends disclosure within 48 hours of the discovery of the incident.
- Make sure there’s a process to provide users with their data upon request
- Make sure personal information doesn’t end up outside of EU
- Appoint a Data Protection Officer and update your security documentation
- Train your staff
- Don’t panic! You’ve got this.
While this is just a brief intro to what GDPR means to companies, fear not – it will be continued.
In the meantime, we dare to guess that GDPR won’t be the only international law of its kind. Stay tuned, as readiness for compliance with segmentation, separation and securing of personal data is set to be a competitive advantage, all over the planet.
Title photo by Mobileapp Daily