According to the EU Council and the Parliament, the European General Data Protection Regulation (EU GDPR) will become law on May 24th, 2018.
Now, for all you non-EU readers: before you even think about closing this tab, pay close attention. Even though the new regulation primarily addresses EU-based organisations, it also directly impacts organisations in the U.S.. Do you:
- have offices or employees in the EU?
- market or sell to EU citizens?
- partner with EU-based organisations?
- may have at one point, or may at some point in the future, process, store, receive, or handle in any way, data pertaining to EU citizens?
If so, you must comply with the EU GDPR guidelines. Consider and plan for the following:
1. Data that already resides within your organisation
Let’s say you’ve done business with, corresponded with, or collected information from an EU citizen in the past. Whether it was a deliberate interaction, or an EU citizen simply filled out a form on your website, the new rules apply retroactively to any data acquired in the past. Organisations must scan their environments, identify any data that could potentially be used to identify an EU citizen, and make sure all storage, processing, and management of that data is compliant.
2. Data that is used for targeted marketing
Does your organisation operate globally, have international satellite offices, or market to individuals/businesses in other countries? You may need to put new processes in place to handle EU citizens’ data differently from the rest. The EU GDPR includes unique guidelines around both the collection and use of data for direct marketing purposes, as well as the manner in which EU citizens are profiled in marketing efforts.
3. All new data
Requests for product demos, support inquiries, emails, information added to HR systems, etc… Organisations are constantly taking in data that can be used – on its own, or in conjunction with other data – to identify individuals. Going forward, all incoming data must be classified according to where the individuals reside to ensure EU data is processed, stored, and managed in accordance with the new laws.
4. Data that is breached, altered, deleted, or destructed
Does your organisation keep a detailed, auditable log of the lifespan of each piece of data? Under the new guidelines, EU citizens must opt in to data collection, may request deletion of data, and must be expressly informed of the purpose(s) of use, duration of storage, and loss or destruction of their data. To prepare, any organisation who has, or may acquire data on EU citizens must be prepared to track and report out on the treatment of their personal information.
5. Encrypted data
The EU GDPR implements strict guidelines as to how organisations must handle data breaches. However, if the lost data was properly encrypted, organisations are exempt from the time-consuming, financially draining, and potentially reputation-tarnishing obligations. Now, indiscriminately encrypting all data breaks functionality and turns cybersecurity into a barrier to productivity. To prepare for the new laws, it’s crucial for organisations to put encryption solutions in place that are selective, targeted, and flexible.
Are You Ready for EU GDPR?
Find out more in this recorded webinar, where you’ll hear from Andrew Dyson of DLA Piper UK LLP, and Jennifer Sand, CloudLock’s VP of Product Management. Plus, find out how a CASB can help with the implementation of customer controls, incident management, and ongoing audits.