03 Jan GDPR: Do You Have an Action Plan?
According to App Annie, a leading provider of app market data, the average consumer with a smartphone in the United States uses 30 unique applications per month, with around 90 total apps installed on their device. Does this ring true for you? And just think, every one of these apps is collecting personal information about you, ranging from your height, weight, and name to your address, physical location, or credit card information. This isn’t exclusive to apps, we put the same type of personal information into the hands of retailers through loyalty program participation. GDPR
Given the sensitive nature of these data points, it is incumbent upon app developers and businesses to maintain a high standard of security when handling such personal information, and legislation is starting to reflect that. In just over four months, the European Union’s General Data Protection Regulation (EU GDPR) will come into effect, marking a wide-reaching and significant shift in the way organizations are required to protect consumers’ personal data.
As of May 25, 2018, companies must adhere to a comprehensive set of rules administered by data privacy officers, including: Privacy by design, minimization of data storage, accountability, the right to access and erasure, and data portability. The GDPR will apply not only to businesses that operate within the EU, but also to those that collect data from EU citizens. In short, global organizations are going to be held responsible for the personal data they collect and store.
Given the rapid rise of digital and mobile technology, regulations like the GDPR are sensible. Businesses need to take better care of the personal data they obtain from customers, particularly given the threats posed by cybersecurity breaches. What might be a little more difficult for leaders to comprehend are the efforts required to become GDPR compliant. Below are three steps to help your organization prepare for this change:
1. Establish a GDPR project team.
Leaders must work with their security, HR, and legal teams to create an accountability center. This project team will need to look at processes using a privacy by design approach —accounting for privacy throughout every system of the organization.
2. Perform an initial data security risk assessment and create a GDPR action plan.
Assess the current state of your businesses’ data collection and retention policies. Identify and prioritize gaps between current state practices and GDPR requirements.
3. Form a GDPR governance framework to manage risk in the future.
Institute positions to monitor the ongoing success of GDPR compliance. Members of the governance team will be responsible for ongoing audits and assessing the success of the compliance program.
GDPR is quickly approaching, and we encourage you to consider these basic steps to prepare. If you are interested in discussing a more detailed action plan, please reach out to me at 901.603.4227 or firstname.lastname@example.org.