General Data Protection Regulation: one year to go until compliance deadline

• Print

Details

Published: Thursday, 25 May 2017 08:40

May 25th 2018 is the deadline for compliance with the new European Union General Data Protection Regulation (GDPR); and statistics released by Veritas show that a significant percentage of businesses think that GDPR could put them out of business.

Veritas polled 900 organizations in eight different countries around the world in early 2017. The research includes statistics on the impact of non-compliance on business operations, customer relationships and livelihood. Globally, nearly one fifth (18 percent) of organizations are concerned that GDPR unpreparedness could put them out of business; this figure is 15 percent in the UK.

The research also found that:

• 32 percent of businesses do not think that their firm has the right technology to cope with GDPR requirements;
• 42 percent don’t have a way to manage which data should be stored or deleted;
• 23 percent of UK businesses believe they could lose customers as a result of GDPR.

To assist businesses with their GDPR preparations, Veritas has provided the following checklist:

Locate – the critical first step in complying with GDPR is gaining a holistic understanding of where all the personal data held by your organization is located.  Building a data map of where this information is being stored, who has access to it, how long it is being retained, and where it is being moved is critical to understanding how your enterprise is processing and managing personal data

Search – residents of the EU will be able to request visibility into all of the personal data held on them by submitting a Subject Access Request (SAR). They will also be able to request that the data be corrected (if factually incorrect), ported (to a suitable export format) or deleted.  Ensuring that your organization can undertake and service these requests in a timely manner is critical to avoiding GDPR penalties

Minimise – data minimization, one of the main tenets of GDPR, is designed to ensure that organizations reduce the overall amount of stored personal data. This is done by only keeping personal data for the period of time directly related to the original intended purpose.  The deployment and enforcement of retention policies that automatically expire data over time establishes the cornerstone of your GDPR strategy

Protect – under GDPR, organizations have a general obligation to implement technical and organizational measures to show they have considered and integrated data protection into all data collection and processing activities.

Monitor – GDPR introduces a duty on all organizations to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected.  You should assure that you have capabilities in place to monitor for possible breach activity – such as unexpected or unusual file access patterns – and to quickly trigger reporting procedures.