The General Data Protection Regulation (GDPR) goes into effect May 25, 2018. While GDPR is an EU-established protocol, it affects any business worldwide that collects data on EU citizens. Non-European enterprises providing any form of goods or service to European citizens will need to comply with the new mandate.
Is your company GDPR-compliant? While you may think it is, a recent research report shows only 2% of companies that believe they are compliant actually are, in respect to meeting specific GDPR provisions.
Many Companies Unprepared for May 25
The aforementioned research revealed that 48% of companies that stated they were GDPR-ready did not have adequate visibility over personal data loss incidents. As high as 61% from the same group revealed they have difficulty identifying and reporting an incident within 72 hours of a breach, which is mandatory when there is a risk to data subjects.
Much of this unpreparedness is in part due to an insufficient understanding regarding the provisions of GDPR. Penalties for non-compliance are stiff, with fines as high as $21 million or 4% of global annual turnover, whichever is greater. These risks are raising red flags, with a study from Veritas revealing that 86% of companies surveyed worldwide have expressed concerns over non-compliance, both in terms of penalty fees and damage to their brand image.
Steps to GDPR Compliance
The steps outlined below needs to be part of a collaborative effort between companies and their cloud service providers (CSP). While CSPs are also responsible for conforming to GDPR guidelines, it’s a mistake for companies to ignore GDPR and believe that their CSP will completely take the responsibility off their hands.
1. Perform Data Privacy Impact Assessment (DPIA)
Your organization needs to conduct a routine DPIA to identify compliance shortcomings. Customers should understand how their data is protected as it traverses through various networks and storages.
2. Acquire Data Subject Consent
Companies must have client consent before processing their personal data. Under GDPR, the consent must be voluntary, and clients have the right to revoke it any time. Consent must also be recorded and stored.
3. Protect Data Subject Rights
On the CSP’s end, administrators must allow their clients’ customers to access their data upon request. Customers have the right to transfer or make corrections to the data. CSPs must respond to requests within a specified timeframe, usually within 30 days.
4. Satisfy New Obligations
Under new GDPR guidelines, organizations are obligated to inform clients of a data breach within 72 hours. Companies need to coordinate with their CSP if the breach occurred in the latter’s end. GDPR policy states that customers can hold both the company and its CSP liable.
Prepare for GDPR Compliance with HOSTING
With the GDPR deadline looming, it helps to work with compliance experts to ensure you’re taking the right steps. At HOSTING, our team of compliance experts is ready to help your organization build, migrate and manage a compliant cloud environment with offerings and a level of experience that’s unmatched in the industry. Click here to learn more about our offerings.