The European Union has this week released new guidance on how companies operating in Europe should protect their customers’ data. In less than two years, all businesses that work with European customers will have to comply with this General Data Protection Regulation.
The biggest change in data protection laws in 20 years will go into effect in 2018. Today, the EU Parliament officially adopted the General Data Protection Regulation (GDPR), paving the way for a new age of data protection for consumers and tighter regulations for businesses. Organisations, including U.S. multinationals that handle EU personal information, will soon be required to comply with tougher rules to prove they’re actively protecting personal data. The European Union has been working on this data protection requirement for years. In December 2015, the working group involved published a new framework for data protection and security of customer information. The General Data Protection Regulation, or GDPR, applies to all companies doing business with customers in Europe.
As background, all companies deal with customer data as part of transacting the buying and selling goods and services. For companies that sell to customers more than once, this means holding on to their data such as credit card numbers, addresses and other sensitive information. As customer records have moved to digital records rather than old-fashioned paper systems, new guidance is required on how this data is stored and managed over time. Without this update to regulations, the guidance on how data should be protected would either be out of date or not cover all the potential use cases that now exist for customer data.
By putting one overall framework in place, companies will only have to consider one approach to data security, rather than dealing with multiple data protection set-ups for customers in different countries. For customers, the regulations will provide greater control and transparency over their data.
For all companies that do business in Europe, GDPR will come into force in early 2018, giving their IT teams two years to prepare.
There are five main points to consider:
Adherence to these points will be monitored and enforced by the Data Protection Authority (DPA) in each country; in the UK, this will remain as the Information Commissioner’s Office. For companies with operations in more than one country, one DPA will take the lead role and be responsible for all data protection activities applying to that company.
There are also plans for companies meeting specific criteria to require a data protection officer (DPO) be appointed. The criteria for this are still being debated, but measures like company size based on the number of employees are currently being suggested. The DPO would be responsible for ensuring that all rules on data protection are followed, in the same way that a health and safety officer oversees the security of people within the company against risk in the physical world.
For company IT teams at businesses that sell in Europe, there are several things that they can begin doing now in order to protect their business operations against risk. Planning ahead now can make it easier to implement processes and technologies that protect company data, as well as ensuring compliance around the security and storage of customer data.
Here are 4 steps to take to get ahead of the new laws for all companies doing business with customers in Europe.
Data on company IT assets should be collected and copied to provide a backup – making use of public Cloud services can help reduce unnecessary redundancy and use of multiple services, ensuring that the cost of protecting data for DR and compliance is reduced over time.
Bearing this in mind now will make it easier for company IT teams to support this portability of data from a technical perspective, even if the business operations team may want to retain customers as much as possible. Marketing and use of customer data are areas where there are the most potential for slips here. Tracking the use of personally identifiable information (PII) and spotting where new copies of customer data are created can help reduce this risk considerably, even if these files are getting creating on individual laptops or mobile devices.
Securing data with encryption is one step; however, companies also have to put plans in place for communication around a data breach event, as well as looking to minimise the risk that is involved through smarter management of data sets in the first place. Even if a data breach does take place, customers should not be affected.
Getting a good policy in place for how and when data should be deleted is therefore going to be essential. This can be used to justify the work and budget involved in managing deletion of customer data where it might be required, as well as where data may be needed for archiving and therefore will be kept.
For all businesses that work with European customers, regardless of size or location, GDPR will force a rethink around how data is created and captured across the organisation. The overall aim is to make data protection and security easier for customers, while companies will have to take a more nuanced approach to customer data storage over time. For companies that want to simplify their approach to data security, converged data protection can help.
Learn how to plan your requirements around GDPR ahead of the deadline for delivering better data protection for your customers with this 5-step guide.