Organizations established in the EU and processing personal data of EU-based individuals will, in almost all cases, be required to comply with the General Data Protection Regulation (GDPR) by May 25, 2018. In addition, the GDPR will now apply to organizations based outside the EU that offer goods and services to, or monitor the behavior of, EU-based individuals. If your organization falls into these categories, one of the essential first steps in your journey to compliance is understanding your data.
Recent studies have shown that relatively few businesses are prepared: a YouGov survey published June 2017 found that with less than a year to go, 62% of senior decision makers in British businesses said they had not even heard of the GDPR. To prepare for compliance, your organization will need to evaluate the personal data you handle: what data is processed, where, by whom, and, importantly, how it’s protected.
Before you can properly protect data, you need to know what you process. The GDPR will apply to personal data; broadly speaking, that’s any information that relates to an identified or identifiable person. Within the category of personal data, there will be more specific rules for special categories of data, like the racial or ethnic origin or religion of the individual, which can only be processed under stricter conditions. It will be important for your organization to understand all the types of personal data you collect and whether any of it falls under the special categories as defined by the GDPR.
After determining what personal data your organization stores and processes, you will want to understand where it is stored and processed. In particular, does that take place within your organization alone or do you use any third-party processors or suppliers? If personal data is processed by third parties, you’ll need to make sure they protect that data appropriately as agreed to in your contract and that they’re working towards compliance with the GDPR by May 2018. Remember that even if the protected personal data is stored outside of the EU, for instance in a data center in the US, the requirements of the GDPR will still apply. As is the case already, lawful international data transfer mechanisms such as model contract clauses or certification under the EU-US Privacy Shield will still be required to transfer personal data from the EU to the US.
Based on the first two steps, you can then examine in more detail who has access to the personal data processed by or on behalf of your organization. Different members of your team may require access to different types of data, which has implications for how you manage and protect data. Your organization will want to minimize access to sensitive personal data wherever possible. Both within your organization and when using external processors or suppliers, being able to easily impose access rights to data and having good visibility into who has access to what is helpful.
Finally, it will be important to understand the security measures in place to protect your organization’s data. Use the GDPR as an opportunity to review what security measures you have in place for your data assets and whether they’re fit for purpose. Remember, the end user is often the weakest link in the security chain and easy-to-implement measures like two-factor authentication and security awareness training to avoid common phishing attacks can be highly effective. Now that you have a better understanding of the personal data your organization handles, re-examine your policies in case of breaches to consider how best to protect data in a breach scenario.
Compliance with the GDPR can’t be achieved with a one-size-fits-all checklist, so every organization needs to review its own practices alongside the requirements of the new regulation. The overview of the what, where, and who of your data assets—alongside an understanding of the security measures your organization has in place—will be an important step on the journey to compliance.
For more steps that you should consider to help prepare for the GDPR and for information on how Dropbox can help you protect and control your data, please click here.