Does your business handle the information of EU citizens? If the answer’s yes, it’s time to take steps to comply with new EU regulations. The General Data Protection Regulation (GDPR) comes into force in May 2018, and is designed to further protect consumers’ personal data. It’s the first global data protection law, and considers any identifying information to be personal data. This includes things like genetic, cultural, economic or mental information, meaning most collected data will fall under this legislation. To make it easier to comply with the new regulations, here’s 10 steps your company can immediately add to your IT security solutions.
- Review your organization’s security
The first step towards compliance with the GDPR is to analyse your company’s internal security measures. Is your IT infrastructure sufficient to securely store consumer data? Take note of any potential risks, and take steps to resolve them as soon as possible. Though the regulations come into force in May 2018, it takes time to upgrade your infrastructure.
- Analyse the data you hold
Next you should review the data your company currently holds. Is it still required? If not, it’s posing an unnecessary risk to your company and should be deleted. If you still need to make use of the information, make sure you can account for how it was obtained, what it will be used for, and how long it will be held.
- Ask for consent clearly
The GDPR regulations require companies to clearly ask for consent when collecting consumer data. Simple language should be used so participants understand what’s being signed over, and what will be done with the data. Particular care should be taken to explain how the information will be stored, processed and used.
- Take special care with children’s data
Children’s data is given specific priority in the GDPR regulations. Companies must now verify ages to check if they’re dealing with minors, as defined by their country’s legal definition. If a child is approached for information, their legal guardians must grant consent. The children must also understand what the data is used for, meaning child-friendly language is a must. Moreover, strong IT security solutions are required, as any data leak could result in child endangerment charges.
- Appoint a Data Protection Officer
Many companies will soon require a data protection officer (DPO) to oversee the safety of collected information. Organiszations which require a DPO include public bodies, those who regularly monitor data, or those who process large amounts of sensitive personal data. If your company falls into one of these categories, in the coming months you should consider whether you’d prefer an internal or external DPO.
- Develop your IT infrastructure with privacy in mind
All your offices should have IT security solutions in place. If you store, process, or in any way offer access to consumer data, protective measures must be taken. Ultimately, data safety should be a primary consideration when developing your IT infrastructure.
- Delete unnecessary data
The GDPR regulations also include regulations on how your company should delete data. Your organization must have procedures in place to safely delete consumers’ data as soon as it’s no longer required. It’s important to note it shouldn’t be used for any other purposes without receiving further consent from the subjects.
- Allow participants to opt out
If any of the subjects ask for their data to be deleted, it must be done immediately. They also have the right to access the information about them, and have it corrected as necessary. Data participants must also be able to restrict access to their information, and object to all direct marketing.
- Complete a Privacy Impact Assessment
The GDPR requires companies to demonstrate they’ve thought through the effects of their personal data collection. One such way to do so is complete a Privacy Impact Assessment (PIA), which proves organizations have taken reasonable steps to mitigate the risks of collecting data.
- Notify authorities of breaches
Notifying the authorities of breaches will soon be mandatory. This needs to be completed within 72 hours of learning about the breach, and so your company should now begin to develop clear policies for managing and reporting data breaches.
Want to find out more information on data protection?
For more information on improving your company’s data protection, get in touch with our team today. We’re experts in IT security solutions, and would be happy to discuss the actions your business needs to take.