Data Privacy Compliance: 8 things to do right away
The European Union General Data Protection Regulation (GDPR) becomes fully enforceable on May 25, 2018.
Please take note that the same applies for companies in the Philippines where the Data Privacy Act (DPA) is implemented effectively by the National Privacy Commission (NPC).
With perhaps a few exceptions, every business that collects personal data from customers, clients, and vendors is going to experience a security breach where that data is exposed, comprised, and/or stolen.
This inevitable fact is just one of the costs of doing business in an interconnected world. The GDPR and the DPA do not, and cannot, expect businesses to patch unknown security vulnerabilities or avoid security incidents altogether.
However, they do require businesses to make every effort to mitigate the damage security breaches have on people.
To that end, it is vital that all enterprises take measured and documented steps to close security vulnerabilities, prevent security breaches, and mitigate the risks when prevention fails. The mere fact that an enterprise made a substantial and documented effort in this regard could be enough to establish data privacy compliance and avoid substantial fines and penalties after a security breach.
Here are 8 specific things your enterprise can and should do for data privacy compliance:
1. Educate employees about the data privacy regulation
Every associate, employee, supervisor, manager, and executive must be educated on data privacy protection and why compliance is vital to the enterprise's success. Under the GDPR and other data protection and privacy laws, personal data should be treated as the most precious asset owned by the enterprise. An asset so precious that it must be protected and handled with care always!
Businesses should hold training sessions to explain the details of compliance to make sure every employee is aware of their role in protecting data throughout the organization. No amount of cybersecurity technology can protect a poorly trained workforce.
2. Assess privacy data
This step may seem like common sense, but many businesses fail to document just exactly what kind of personal data they collect and process. The data privacy law is very specific on this point: Every business must know what data is being collected, why it is being collected, how it is being processed, and by whom.
3. Establish applicable data privacy policies
A typical policy will establish procedures and protocols limiting access to personal data, set consent standards, and provide for practical procedures regarding the data subject's right to access and, if requested, delete their personal data.
Policies dealing with intrusion detection, data classification, privacy protection, password management, auditing and logging, and encryption, just to name a few, should all be developed in support of an overall compliance policy.
4. Review personal data consent requests
One of the major provisions of the data privacy law is the concept of acquiring clear consent to use personal data from the data subjects themselves. The GDPR and the DPA establish a clear definition of valid and lawful consent with regard to data subjects:
5. Check data management procedures
Under the data privacy protection law, a data subject must be able to request access to their data to check it for accuracy, assess what their data has been used for, and audit how it has been processed.
In addition, data subjects must be able to request an electronic copy of their personal data that can be transferred to another organization. The data subject must also be able to request that all of their personal data be deleted in a timely manner.
If your enterprise does not currently provide these mechanisms for all data subjects, it is not in compliance with the law and is subject to fines and penalties. This is a non-negotiable provision, and developers should begin working on these provisions immediately.
6. Develop procedures for security breaches
Under the GDPR and DPA, enterprises are expected to have a comprehensive plan in place for when personal data is exposed, compromised, and/or stolen because of a security breach. Every enterprise should have an intrusion detection and an incident response policy to mitigate any damage caused by a security breach.
Furthermore, enterprises are expected to have a documented and functioning procedure for notifying data subjects that a security breach has occurred. The notification should include information about what data was compromised, when it occurred, that status of security vulnerability, and information on how data subjects can get more information.
7. Remember: You need to hire a Data Protection Officer
The DPO is a high-level position that must report to an executive of the company. The DPO must also be qualified to hold the position either from an education in compliance law or experience in compliance law.
Finding qualified candidates is likely to be a long process, so the sooner your enterprise begins its search the better.
8. Perform Data Protection Impact Assessments
Enterprises should perform an assessment on their current processes and examine any previous process changes or implementations of new processes for data privacy and protection concerns.
The documentation of this auditing procedure could reveal areas of data privacy and protection vulnerability and advance the enterprise toward the goal of data privacy compliance.
No security protocol is perfect, and data breaches are a fact of life in the modern business environment. The most important thing to remember about complying with the EU and Philippine law and other data protection laws and regulations is that effort counts.
Enterprises that can show documented proof that good-faith effort toward compliance has been made and, that data protection and privacy policies, protocols, and procedures are in place, will have a much better chance of avoiding fines, penalties, and financial hardship when the next security breach occurs.
Comments are welcome. Assistance can be offered. Please contact [email protected] [email protected]
- Latest
