The IT Directors’ Guide to GDPR Compliance

Most organizations take data collection processes and personal data protection seriously. Many companies invest in platforms designed to safeguard data and ensure data recovery.

Despite this, tons of companies still don’t know if they are fully compliant with the EU’s GDPR laws–and are at risk for fines for noncompliance.

Read this article to find out:

• The fundamentals of the EU GDPR laws
• What GDPR means for your organization
• How to avoid noncompliance
• Steps to become (and stay) GDPR compliant

Understand GDPR Basics

What’s the GDPR?

The European Union’s General Data Protection Regulations (GDPR) went into effect on May 25, 2018. The purpose of this law is to protect individuals from unauthorized personal data collection on the internet and hold companies who collect personal data accountable for consent to personal data and dedicated protection of that data.

What is Personal Data

The GDPR outlines personal data as:

• PII or personally identifiable information (name, an identification number of any kind)
• Location data
• An online identifier about specific “physical, physiological, genetic, mental, economic, cultural or social identity of,” the data subject

Seven Data Protection Principles

The GDPR laws follow seven data protection principles:

1. Lawfulness, fairness, and transparency
2. Purpose Limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability principle

These seven principles affect many aspects of your business’s day to day data processing and IT functions. A Data Protection Officer (DPO) appointed by your firm reports to the Data Protection Agency (DPA), the latter of which is authorized to levy fines for noncompliance.

Does it affect my organization?

Any organization which does business in the EU has employees in the EU, uses EU suppliers, or collects data on individuals in the EU must comply with the GDPR laws or risk a fine of 2-4% of annual global revenue.

Almost every organization in the world is affected by the GDPR ruling. Here are the major areas where  GDPR impacts your company:

• SecOps: With an appointed data protection officer (DPO) reporting on data security to the data protection agencies (DPAs), you’d better believe SecOps is under scrutiny
• Marketing and sales teams: Sales and marketing rely on personal data via cookies for ad placement and targeted sales outreach–you’ll need to be explicit about what kind of content you collect with prospects and ensure you have their express permission to reach out
• HR: If you have any European employees, HR needs to be sure of held data and its security against breaches
• Data processing or data sharing: Data accessed through European software or data processing suppliers or to European end users needs to meet the consent and protection clauses

Know Your GDPR Non-compliance Risks (And How to Avoid Them)

Your IT team is the business function most severely affected by the GDPR’s ruling. Here are the most important risks you need to pay attention to post-GDPR:

• Beware the cookies: If you collect data without clearly expressed consent (not the old “implied consent via the use of your site” banners), you are out of compliance
• Document consent: Not only do you need to gain consent, you need a way to document that each person whose data you’ve accessed expressed said consent (ask your DPA for clear guidelines on the nitty-gritty details)
• Hire or become an expert: You can learn the ins and outs or outsource a GDPR compliance audit
• Make data security and retention foolproof: Implement best practices to protect your data through added data security and retention measures

Marketing and Sales Data

Personal data collection via cookies begets micro-segmented marketing and sales outreach to these pinpointed groups.

Targeted ads are the backbone of many pay-per-click marketing campaigns, news websites, and most other businesses who trade in the digital space. With GDPR in force, organizations which collect personal data (in the form of cookies) from individuals residing in the EU or traveling to the EU are held accountable to follow the rules or risk a fine.

The censure for noncompliance with the GDPR can be as high as 2-4% of global annual revenue–not worth the warm leads.

Marketing and sales teams should be briefed on how data collection is changing and work together to create solutions that keep your business running smoothly and in compliance.

Steps to Ensure GDPR Compliance

1. Review your current data collection and retention processes either in-house audit or through a GDPR expert
2. Decide whether you’ll implement global data policies or only for EU-affected data interactions
3. Update data collection practices via cookies, focusing on consent and following GDPR guidelines
4. Fortify your data interface, including data storage and retention, to guarantee GDPR compliance
5. Appoint a Data Protection Officer (DPO) and know how to engage with your Data Protection Agency (DPA) to demonstrate GDPR compliance

Getting your company GDPR compliance and ensuring IT is up to speed takes a little legwork, but once you’ve gotten the processes in place, your data will be more secure and your company can rest assured you are in compliance.

Use Backupify to make your data storage for backups are GDPR compliant and protect your mission-critical data now.