GDPR Compliance for US Companies

Take these steps to comply with the new GDPR regulation.

Step 1. Hire experienced privacy professionals.

Does your company have the staff skilled at ensuring privacy controls and locating data throughout the organization? If not, you should hire experienced privacy professionals and recruit and train a data protection officer or outsource to a data security consulting firm.

Some companies may need to pull in people from many areas of the business, to coordinate with project managers across the organization to make sure the right processes are implemented.

Step 2. Establish a track record of compliance before May 25, 2018.

If your company is a large one, you should begin immediately to reinforce the implementation of information security controls and technologies. These include automated IT security monitoring, testing, and measuring. Your company should be able to provide detailed documentation to prove compliance.

Step 3. Know where your consumer data is. 

Determining this may be one of the most challenging tasks associated with getting ready for GDPR. Some companies simply do not know where all their consumer data are. 

Your company will want to create a comprehensive catalog of all your organization’s data, including development, test, production, data warehouse, and backup systems.  You need to have a sophisticated level of automation to handle this including logs of read, write and delete access, and then regular reporting to the Chief Protection Officer from these logs.

Step 4. Be able to analyze risks for the data you hold. 

The privacy professionals in your firm will need to determine which data are at risk and which practices and technologies will reduce those risks. If you are a company that is processing the data of many thousands of EU data subjects, you will be expected to implement stronger measures to protect this data than a business processing only several dozen subjects would be.  When your firm reduces its overall network risk profile, you will also decrease your chances of a data security breach.

Step 5. Data governance teams need to strengthen metadata management and data lineage capabilities.

Data lineage is critical to GDPR. Your privacy protection team needs to be able to determine where this protected data came from and where it is going. Use the metadata management tool to control who has read, write and delete permissions. The metadata management tool can link permissions to each column and internal user. You also want to reduce the time it takes to get data out of “quarantine” and into use. It would benefit your firm to be agile and ready for any additional regulations that will follow.  To meet these needs, the metadata management tool will identify and control access to GDPR-affected data, mainly PII.

Step 6. Integrate your ability to tag personal data directly with data access and masking tools. 

If your information is “Personal” or “Sensitive” or is an item that needs to be protected under GDPR, it should be de-masked, de-identified, or have access restricted.  This process should be done via automation.   

Data masking reduces the exposure of sensitive data within an organization.  The data masking protects it while at the same time maintaining its usability.  Data masking replaces real data with fictitious data so that it can be used safely in situations where actual data are not needed.   

GDPR views data masking as a way of protecting consumers’ privacy rights while letting data controllers use collected data for other purposes.

GDPR gives us a great challenge of balancing between data democracy and data protection. As firms we would like to get the most out of our data and have it fully available, however GDPR requires that organizations practice data minimization. For example, a life insurance company may collect personal information to issue a policy. Later the firm may decide they want to analyze this data collected from their clients to improve the pricing of policies.  But they would not be able to do so because the data collected for one purpose (e.g., writing a policy) cannot be used for a new one (e.g., to analyze pricing). However, if the information is anonymized via data masking, then they could use the masked database for pricing analysis.

Step 7. Be able to show consumer consent for data collection and processing.

Individuals must permit that their personal data be collected. GDPR requires that companies give individuals notice of collection and that the individuals have a chance to give permission before data gathering begins. The GDPR is designed to reduce risk to consumers and to allow them more control over their information.

The GDPR brings new requirements for all forms of direct marketing, including:

• Strict consent for all direct marketing campaigns
• A consumer’s right to be forgotten, affecting the way marketers store data
• Proof of consent, stored in a way which makes it easy to access

8. Ensure your internal privacy controls are effective.

The security practitioners in your company need to design and implement a wide range of internal controls that provide structure to how your data are stored, managed, transmitted, and destroyed.  You need to take steps to make sure that your internal controls are working well. These may involve using advanced cyber security methods and designing new firewalls for your information.

9. Make sure the data you store is portable.

The GDPR requires personal data to be portable from one company to another.   Your business must be able to manage data that are shared across multiple platforms or vendors. If a customer wants you to transfer their personal information to them, you need to be able to do so.

10. Be able to erase personal data when appropriate.

This will support the part of the regulation that includes “the right to be forgotten,” when individuals request that a company remove their data from its database. If an individual withdraws consent to having their data stored, companies must delete it.

A key objective of GDPR is to keep personally identifiable information private. According to Solix Technologies, nearly two-thirds (66 percent) of survey respondents say they are unsure if they can erase an individual’s personal information by the GDPR deadline. Many organizations have no process for tracking and documenting all their data and data flows. A solution would be to identify PII in the metadata manager, identify PII associated with a specific user, then delete all corresponding data.

11. Recognize and report a data breach.

Any company that experiences a data breach is required by the GDPR to give individuals affected notice of this breach within 72 hours. This new law gives companies increased incentives to avoid a breach.

Firms will want to implement advanced risk management techniques to guard against hackers.

These include:

• Identifying potential external and internal threats;
• Understanding the company’s data targets and their appeal to attackers; and
• Staying up to date on the range of tactics hackers may use. 

The GDPR also requires performing impact assessments which is a requirement intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.

12. Make sure your third-party partners are GDPR compliant.

If your company is a web-based company, you will have to make sure that the third parties you use are GDPR compliant. If your firm has many third parties, your business needs to have expertise in legal issues, vendor management, and risk management to create new models for engagement between the platform partners. 

Your company will want to identify, monitor, and audit third-party providers. You will also want to test security systems and processes at regular intervals.