U.S. Companies Need to Gear Up for GDPR Compliance: 5 Ways To Prepare
Now that you understand the importance of the EU’s GDPR and have made your peace with your need to care about and comply with the it all, you may have one more question:
How can I prepare for the May 25, 2018 enforcement deadline and ongoing GDPR compliance matters?
Does that sound about right? If so, you are not alone, according to many accounts. One example of such feet-dragging comes from Information Age, having reported in October of 2017 that only 5% of EU companies were ready for compliance.
While that article was published several months ago, it may be a reasonably accurate indicator of how many companies were, and still are, slowly awakening to the crucial importance of GDPR compliance. Just a glance at the penalties for non-compliance should light a fire under most compliance managers’ feet.
Thankfully, you are right on track by launching or ramping up your already-in-progress GDPR compliance project now.
5 Ways for Your U.S. Company To Prepare For GDPR Compliance
Many CIOs, IT leaders and compliance managers just like you need to prepare for full GDPR compliance as quickly and completely as possible. Of course, compliance with data privacy regulations is not new to U.S.-based companies, notes Security Week, but GDPR is a whole new ball game.
It may help you to check out these five ways―in no strict order—to help get started on your mission to make your U.S. company in ship-shape and ready for GDPR compliance.
1. Inventory Your Data and Investigate Its Current Security Status
Inventory and investigate your data to learn what data you hold on EU-based citizens. If you do not have any data on EU citizens, you may not need to proceed. However, given the global nature of business today, it is unlikely that you do not have some data in your system. If you do hold any EU resident data in your system, explore sites on the open, deep and dark web to see if you find any trace of your EU customers’ information. This step can help you proactively discover data leaks so you can address them as soon as possible. With this step, you can begin your GDPR compliance project with a clean slate.
In the policy, you must clearly indicate the specific information being collected or requested from your customers since they must have a choice of whether to provide it or not. Also, remember that you must clearly mark any data that you collect with its specific purpose.
3. Adjust Your Privacy Controls to Align with the GDPR with Privacy by Design
The GDPR requires U.S. companies to review privacy and data protection controls to ensure incorporation by design into any new or existing systems that involve personal EU citizen data.
You may find yourself working without formally defined processes in designing and building a new environment. Many organizations are defining an overarching process that can be used by other business functions. Once built, these companies are training users from IT and other business areas within their organizations to incorporate privacy by design, according to The Wall Street Journal: Deloitte.
4. Provide an Opt-In Requirement for Data Sharing
Since so much of the GDPR focuses on giving EU citizens a variety of information and freedoms regarding their data, companies are not allowed to share EU consumer data as a regular course. Therefore, instead of the standard opt-out model used in the U.S., which gives customers the option to not have their data shared with third-parties, you will need to provide an opt-in option.
You will not be allowed to collect or share EU consumer data by default, so must give them the choice to opt-in, wherein they must specifically consent to the collection and sharing of their data. You must provide this information in a direct, clear, specific and unambiguous way to EU citizens.
5. Prepare for Data Protection Impact Assessments
The GDPR mandates that companies perform Data Protection Impact Assessments (DPIAs) to zoom in on “high risks” to EU consumer data privacy, which may come to light during data processing.
Since the impact could be significant once GDPR takes effect, many companies are performing preemptive, or “look back,” DPIAs on their processes and systems that may pose the highest risks. With this step, you can start the new GDPR phase on a completely level playing field.
Reach Out for Help From A Team That Knows GDPR
Our I.S. Partners, LLC. GDPR team understands how overwhelming compliance may seem for U.S. business leaders at this point. There are many complex requirements and nuances that do demand a great deal of attention and commitment, in addition to your daily responsibilities.
This list is only a start, but we can provide you with plenty of additional advice and assistance to get your CEOs, management, employees, system and controls up to speed in no time. Call us at 215-675-1400, start a live chat, send a message or request a quote today!