Many regulations are going into effect to help protect consumers’ data including the General Data Protection Regulation (GDPR). Established by the European Union, GDPR goes into effect May 25, 2018.
This regulation is designed to harmonize data privacy laws across Europe, to protect citizens’ data privacy and to reshape the way organizations approach data privacy. If an organization is in breach of GDPR, they can be fined up to 4 percent of their annual global revenue or $23.6M (whichever is greater). All companies that hold any data of European Union citizens, regardless of the location of the company, are affected by this regulation.
Will GDPR Affect You?
Businesses located outside of the EU need to pay attention to GDPR. If you have a global footprint with European customers, you’re required to be compliant. As a reseller, do your clients transact business in Europe? If the answer is yes, you need to consider putting a process in place to ensure you’re GDPR compliant next May. Here is a summary of the changes:
Before GDPR, companies only needed to ask once to process a customer’s data. With GDPR, an organization must get separate permission to use a customer’s data for different things such as marketing, support and maintenance. Businesses also must record customer consent. Customers will have the opportunity to withdraw consent, and the business must delete any information it holds about the customer. Requests to remove data will profoundly affect companies that rely on third parties to store data. These third-party vendors must also comply with GDPR regulations and delete a customer’s data as requested.
Data Governance Obligations
GDPR promotes security and privacy, specifically encryption and pseudonymization, the process of separating personally identifiable information from other data to reduce security risks. Small businesses are expected to rely heavily on their reseller partner to meet these GDPR requirements.
Organizations must use privacy impact assessments for high-risk activities, such as monitoring. Companies must also introduce audits and frequent policy reviews. While GDPR doesn’t require an official data protection officer for companies with less than 250 employees, all organizations will need someone that’s responsible for security policies and procedures.
Data Breach Notifications
Under GDPR, data breach notifications become mandatory. A procedure should be created at each company on notifying local regulators and customers in some cases of a breach.
Steps Companies Should Take:
- Determine if your company is considered a controller or a processor under GDPR.
- Audit your data to determine the type of data you have and if it belongs to EU citizens.
- Collaborate with your legal department and GDPR experts to designate which EU member state will be your supervisory authority.
- Select a Data Protection Officer if your company has over 250 employees. For SMBs, decide who will be responsible for security policies and procedures.
- Redesign what consent and disclosures look like for your customers.
- Audit third-party providers and review agreements.
- Evaluate your data centers to review how EU data is segmented.
You play a critical role in helping your customers prepare for GDPR. At Tech Data, we have a team of security experts here to help. For more information on GDPR and other regulations, please contact our security team at 800-237-8931, ext. 73246 or firstname.lastname@example.org or visit techdata.com/security.