We operate in an increasingly global business environment. There are clearly myriad benefits to global expansion, but – as many organizations are increasingly becoming aware – there are equally as many regulations and standards, based on the number of countries they operate in. Lately, the rapid introduction of new regulations has many companies worried about audit and compliance. Emerging compliance requirements in Europe, such as General Data Protection Regulation (GDPR), have pushed companies to understand where they store and manage data over the residual life cycle to be compliant with these requirements.
GDPR is a new privacy regulation in Europe that protects the personal data for any individual based in the European Union (EU), regardless of citizenship or where the data is being held. It applies to any organization located inside or outside the EU if it offers goods or services to, or monitors the behavior of, EU data subjects. This regulation will be enforced in May 2018 and outlines strict fines for those companies found to be out of compliance. With the deadline just under a year away, now is the time for organizations to begin to establish a process for adhering to the necessary requirements.
This regulation is not to be taken lightly. Strict fines will be applied to companies found to be out of compliance. With a maximum fine of “up to 4% of annual global turnover for breaching GDPR or €20 million,” (whichever is higher), organizations of any size will be significantly affected by noncompliance. Many organizations have already started their journeys down the path to compliance, but for those that have yet to focus on GDPR compliance, time is running out. Here are a few key points any organizations affected by the GDPR regulation should be thinking about.
How Will GDPR Affect My Company if I Do Business with EU Residents?
With GDPR, any global enterprise that collects or processes information about individuals in the EU is legally responsible for protecting that information while it is under its stewardship. If information is retained, it must be purged when it is no longer needed. This regulation will affect information collected in sales orders, invoices, receipts, delivery slips, and many other day-to-day business activities. Types of data that may fall under the regulation can include (but aren’t limited to):
- Contact information (name, address, phone number, email)
- Credit card information
- Personally identifiable information (gender, social security number, etc.)
What Does It Mean if I Run SAP Systems?
Once enterprises understand what data falls under GDPR, they must understand how to apply the regulation to the information processed and stored in SAP systems. This can be very complex, as information about individuals can be contained in both data and documents that are stored across multiple environments, systems, locations, and countries. Organizations must ensure that this information is protected and properly discarded.
What Can I Do Right Now?
To determine company-specific data that will fall under the regulation, an organization must have a risk team evaluate exactly how the regulation will apply to its business and what will be under the regulation’s umbrella. Companies should conduct a privacy assessment to determine what data will be affected by GDPR, where that data resides, and how that data moves through the system. Once you have an inventory of the personal data the company handles, start to consider what is done with that data. Why is the company collecting the data? Does the data need to be retained? Did the individual consent to the collection of his or her personal information? Who has access to that data and why? Finally, are there proper security controls in place to prevent external or internal exposure of personal information? Categorize the risks and ensure you inform data stewards or owners about the risks that are posed by the data so that you can begin to work on a solution.
Once the privacy assessment is complete, organizations should focus on the four P’s of GDPR: policies, processes, protocols, and people.
- Policies: Ensure retention policies are updated and the privacy assessment is completed so that you have enough time to become compliant ahead of the deadline
- Procedures: Adapt your existing procedures to incorporate GDPR requirements. In some cases, this step may require a complete overhaul of existing procedures. Some examples include:
- Informing individuals when and why personal data is collected.
- Requesting individuals give explicit consent to retain personal information.
- Setting up additional user access roles to prevent nonessential people from viewing sensitive data.
- Enabling masking or encryption of data where necessary.
In some cases, companies will determine that they have been retaining information that they do not need, so existing procedures will need to be eliminated or adapted accordingly.
- Protocol: Develop a protocol that determines how you will handle situations when individuals want to invoke GDPR, including:
- Who handles the requests?
- What is the procedure?
- What are the cases where information needs to be kept for legal, business, or other reasons?
- People: Educate your customers, vendors, and employees about the coming regulation and let them know what you’re doing to safeguard their personal information
Take this seriously and get your data in order. A lagging organization will be hit with the full fine. Put in the effort now to ensure your policies, processes, protocols, and people are set and ready to go.
About James Baird:
James Baird is a Senior Information Consultant at Dolphin who specializes in information retention and audit. He is a Certified Information Security Auditor and Certified Information Systems Manager with certifications in PCI and PII audits. He previously worked for IBM, KPMG, Deloitte, and as the Director of SAP IT Security at Coca-Cola Enterprises. He has degrees in IT and Project Management from the University of Calgary and a degree in Organizational Psychology from the University of North Dakota.