GDPR is almost upon us, and businesses everywhere are running out of time to get in line with its data privacy and security guidelines. For many companies, there is still a lot of work to do before that May 25 deadline arrives. As of July 2017, only 22 percent of organizations in the United States had finished making their preparations, according to PricewaterhouseCoopers.
In Part 1 of this series, we ran through a quick primer on what GDPR is, who it affects and what how it can penalize violators. We can now dive a bit deeper into the GDPR waters and look at what specific requirements companies need to adhere to and how to become compliant.
"Arguably the biggest change here is the inclusion of explicit consent."
Revamp consent management
GDPR will completely overhaul how user consent is obtained, likely requiring substantial changes to internal processes, workflows, databases and other IT systems.
Arguably the biggest change here is the inclusion of explicit consent, meaning that companies can no longer use ambiguous language or other means to obtain approval to collect customer data. Popular tactics like using pre-checked consent forms are also out - customers must opt into any data collection programs.
Furthermore, consent forms need to lay out precisely what information is being collected and how it will be used. Businesses can no longer simply gobble up a bunch of information with vague plans to leverage it at some point down the road.
New consent forms will be necessary to comply with these guidelines, and businesses may need assistance from an IT services consultant to get those assets in place before GDPR goes into effect.
Adhere to 'right to be forgotten' guidelines
In addition to these new explicit consent terms, users can also opt out of any data-collection program whenever they choose. Once such a request is given, companies must comply in a timely manner and completely remove any trace of that individual from their systems and databases.
Comprehensive data erasure is a tall order, and many legacy IT systems are not designed with those tasks in mind. IT solution providers can help assess what changes need to be made and develop the most cost-efficient way to address right-to-be-forgotten requests.
Put a data breach response plan in place
GDPR has a few guidelines dictating how companies should react in the event of a data breach. For instance, supervisory authorities need to be alerted within 72 hours of detection. In order to comply with these demands, businesses need to map out a comprehensive incident response plan so nothing is missed and all bases are covered.
If you need help drafting a speedy data breach response workflow - or assistance with any other aspect of GDPR compliance - reach out to TEKConn. Our team of IT, data security and compliance experts can answer all of your questions and get you ready for GDPR's launch date.