GDPR carries considerable weight in the areas of security, privacy and data protection for business and IT professionals in Europe and other countries where business is conducted with the European Union and European Economic Area.
Demonstrating compliance with GDPR -- regardless of the location of the entity doing business with the EU -- is a major activity, but many organizations encounter issues doing so.
How to avoid GDPR compliance challenges
The following challenges and remedies are based on key GDPR requirements, as well as good governance, risk management and compliance practices -- organizations must work to overcome these challenges, as there are significant financial and reputational penalties for GDPR noncompliance:
- Know what data you collect. Determine if your organization collects, stores and processes personal data from any individual or organization based in the EU or EEA. GDPR is likely not applicable if such activity does not occur.
- Know why data is collected. Determine the legal purpose for processing personal data. GDPR's Article 6 notes the following as legal reasons:
- ensuring consent of the individual whose personal data is in question to have it processed;
- fulfilling requirements specified in a legal contract;
- complying with a data processor's legal mandates;
- protecting vital interests of the individual whose personal data is to be processed;
- performing an activity in the public interest of an official party; and
- supporting the desires of a data processor, unless overruled by the subject's interests and rights -- for example, if children are involved.
- Educate data owners. Ensure individuals have access to their personal data and they understand how their data is processed.
- Protect data. Ensure personal data is hidden from unauthorized observation and access by using pseudonymization to mask or cover data from unapproved individuals.
- Securely move data. Ensure personal data is securely moved from one processing device to another without restriction from the data's owner.
- Let users erase data. Ensure data owners can request their personal data be erased, unless certain mitigating circumstances exist, for example, national security.
- Let users block data. Ensure users can block processing of their personal data for marketing or nonservice purposes.
- Determine the purpose of the data. Ensure organizations processing personal data disclose the circumstances for which the personal data is to be processed, stored or modified when the data is outside the EU or EEA.
- Hire a data protection officer (DPO). Ensure a DPO is responsible for data protection and privacy activities, especially those applicable to GDPR.
- Report data breaches. Ensure a process exists -- and is regularly reviewed and tested -- for reporting data breaches to the authorities.
- Inform data owners about their data. Ensure a process exists for informing data owners that their data is being processed, how the data will be used, and their right to access and delete the data.
- Perform impact assessments. Schedule and conduct periodic impact assessments of data protection activities from a risk perspective, and identify mitigations and remediation activities for noncompliant processes.
- Build in compliance. Ensure data protection policies, procedures and related activities are built into the development of new business processes and added to existing processes.
- Encrypt data. Encrypt personal data locally, as opposed to using a remote encryption service, so access and encryption keys are protected and available to the data owner.
- Avoid penalties and fines. Ensure those involved with GDPR requirements are aware of penalties and fines for noncompliance.
- Hire an EU representative. Establish an EU-based representative -- individual or company -- to provide GDPR advice and support to non-EU-based companies that must comply with GDPR regulations.
- Ensure management support. Ensure senior management supports GDPR regulations and compliance and authorizes funding for GDPR compliance activities.
- Perform assessments and audits. Consider engaging an external third-party firm with GDPR assessment and auditing experience to provide GDPR compliance assistance plus impartial evaluations of GDPR compliance.
- Create a data privacy department. Consider establishing an internal data privacy department -- if one does not already exist -- to prepare policies, procedures and audit evidence supporting GDPR compliance.
- Conduct awareness trainings. Provide awareness training for employees to explain the importance of GDPR and the company's commitment to compliance.
GDPR compliance is an important activity for organizations around the world. Organizations should start by understanding the regulation and then determine what they need to address data protection and privacy in accordance with GPPR requirements.