Our Services ➔
The EU’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. If your company is not in compliance by now, you risk incurring significant financial penalties.
Still, more than 50 percent of companies subject to GDPR weren’t in full compliance by the end of 2018, according to Gartner. That’s a lot of exposure to the most significant compliance regulation to come along in many years.
This guide will help your company with GDPR compliance. We’ll start with a discussion of the law and then move into strategies that can help you meet the GDPR’s toughest requirements for data privacy and security.
GDPR is designed to protect the personal data of EU citizens, and to do so it regulates how such data is collected, stored, processed, and destroyed. The definition of “personal data” is extremely broad: It includes names, addresses, and bank details, but also data related to religion, race, mental or physical characteristics, and even IP addresses, web cookies, contacts, and mobile device IDs, if they identify an individual.
Perhaps most importantly, the territorial scope of the law is very broad. Article 3 of the GDPR states that a company anywhere in the world is subject to the GDPR if it processes the personal data of anyone residing in the EU. It doesn’t matter if your company has no offices or employees in the EU, or even if no transactions are carried out in the EU. If you process an EU citizen’s personal data, then you need to comply with the GDPR or face the financial consequences.
Complying with the GDPR is a huge undertaking, but it’s important to understand that it is a business project rather than just an IT or IT security project. The IT department can help ensure data integrity and security, but new business processes may need to be put in place to ensure that individuals can access their own data, that privacy is built into all systems and services, and that all other obligations of the regulation can be fulfilled.
Moving your organisation into GDPR compliance is a process you ideally started long ago, and there are a number of useful online tools that can help you assess how close you are to achieving compliance.
One of the most useful tools for small and medium-sized companies is the UK Information Commissioner’s Office (ICO) data protection assessment. This includes a GDPR checklist for data controllers and a GDPR checklist for data processors. ICO also provides a useful tool to help assess your compliance with data protection in the specific areas of information and cyber security policy and risk, mobile and home working, removable media, access controls, and malware protection.
Microsoft has also produced a quick and simple assessment tool to see which stage you have reached in your compliance effort and what steps you need to do next.
The GDPR is made up of 99 articles that provide a detailed description of the regulation, and since every organisation is different, it is impossible to provide an exact prescription that will guarantee your organisation is in compliance.
There are general guidelines anyone can follow, however, and the ICO has produced a document recommending 12 steps that should be taken to fulfil general GDPR requirements:
