The General Data Protection Regulation (GDPR), the European Union’s (EU) new privacy regulation, has now been in place since May 25, 2018. The GDPR is one of the largest data privacy legislations to be enacted, and it brings significant challenges to organizations with customers, employees or suppliers who are EU nationals. Although we’ve been talking about and preparing for the GDPR for the past two years, a recent Gartner estimate shows that more than half of organizations won’t comply fully with the new data regulations by the end of 2018. If you’re like many organizations out there, you may still be wondering: am I ready?
If you’re one of those organizations, the good news is that there’s no need to panic just yet. OpenText™ compliance experts like Janet de Guzman, Director, Compliance Group are here to help you develop a strong compliance plan and prepare for the GDPR.
The road to GDPR compliance may seem daunting at first, says de Guzman in this Enterprise World 2017 interview, but it all begins with good information governance.
Janet de Guzman discussed OpenText and GDPR compliance at Enterprise World 2017
“Information governance is the heart of every compliance program,” says de Guzman. “Information and how it’s managed will not only help demonstrate compliance, but [it also] ensures compliance”.
How do you ensure your organization has good information governance? By creating a strong compliance plan that takes key considerations into account:
- Start with the basics. How does the GDPR apply to you? What does your organization need to do to comply? The requirements may differ based on the size of your organization and the types of data your organization uses.
- Get the right people in place. As with any business change, it’s important to have an executive leader sponsoring the new project. According to the new legislation, your organization may need to appoint a data protection officer, who is responsible for compliance. You’ll also want to identify a team of employees across multiple departments who will form your core GDPR compliance team. It’s important that every department with access to customer or employee data is part of the compliance plan.
- Show you’re accountable through a register of processing activities. Create a register of processing activities and define clear rules surrounding new activities. The register is required as part of the GDPR. It covers employee administration, account management, supplier screening, and more, and it should document all the ways your organization processes personal information, including information managed by third parties (such as data managed in cloud services).
- Clean up your data and classify personal information. Tag all data that contains personally identifiable information, and make sure you’re defensibly disposing of data when you’ve finished using it for the purposes under which it was collected. This concept is called data minimization, and is an important one for achieving compliance.
- Record, record, record! Part of the new rules under the GDPR include keeping records to prove you have consent to use the data and why you are collecting the data in the first place. There are also requirements to retain privacy impact assessments and breach records.
- Report any data breaches. Under the GDPR, organizations have 72 hours from the time of detection to notify affected customers of data breaches.
- Update policies, procedures, and employee training. Organizations should review and update, if necessary, policies surrounding records management, information management, and privacy. In addition, every employee will need to know the new rules and regulations for compliance with the GDPR. Create a training program for employees, both current and new hires.
Once your compliance plan is in place, it’s time to address the next hurdle: adopting a new way of working with data. This is important because the GDPR is about more than just a shift in how we use, collect and store data—it’s also a major business transformation.
“It’s beyond a compliance challenge,” says de Guzman. “Organizations need to start thinking that personal data is something that belongs to the individual, not to them as an organization.”
“It’s going to change the way we all do business.”
You can learn more about the GDPR and how OpenText can help your organization achieve compliance in our breakout sessions:
- GDPR is here – Are you ready? Discovery, your first step to compliance
- Enterprise information management – your not-so-secret weapon to tackle the GDPR
Join us (and Janet) on site at OpenText Enterprise World 2018 for everything you need to know about the GDPR. We can’t wait to see you in Toronto!