Security teams are probably going to come under more pressure to make sure all PII data is appropriate encrypted or anonymized. Previously, encryption efforts were mostly focused on protecting portable devices which were deemed more at risk for misuse if lost, stolen, or exploited. GDPR compliance is likely to result in a rush for even greater data encryption across the enterprise, ensuring that that remains encrypted even if stolen, and anonymizing or making the data “pseudo-anonymous” whenever possible. CEOs and other C-level officers would love to hear that their reporting requirements for any possible data breaches are minimized.
Further, security teams will likely become under increased pressure to quickly determine if a data breach has resulted in a reportable event faster than ever. Seventy-two hours is a quick time window for many organizations, especially when trying to see if any fact can prevent the breach from having to be reported to impacted data subjects or the press.
How to prepare for PII protection regulations
It goes without saying that everyone in companies tasked with collecting, storing, processing, GDPR-impacted data should already be learning the basics of GDPR and what your company needs to do to prepare. Teams of people dedicated to GDPR preparation and compliance should be formed. Your company should probably create a custom document introducing the GDPR to impacted employees and customers, highlighting the areas for concern and improvement. Your most critical employees should be trained on GDPR and their knowledge tested.
If your company needs to have a GDPR data compliance officer, appoint someone or get hiring.
Next, assess your company’s readiness for GDPR compliance (e.g. people, tools, and processes), noting the areas for the most concern. Simply determining what data you already have that applies to the GDPR will be a big starting task. And how to contact those people and give the relevant required information? Most companies are going to need to create new systems to track data according to GDPR standards or modify existing systems.
Identify ahead of time what your company might have to do in the event of a personal data breach event. Seventy-two hours isn’t a lot of time. Who do you contact? Who contacts them? What information must you provide? Who and what determines whether data subjects have to be notified? Don’t let the first time you are figuring out how to respond to a GDPR personal data breach event be your first breach.
Of course, a whole multitude of companies are waiting for you to ask for their services or products.
The GDPR is a new gold standard in personal data privacy protection. Its efforts are to give data subjects more control over the data and to ensure the transparency of operations and protection than what has normally been done previously. It’s a wonderful thing for privacy protection, but a lot of work for those who are tasked to comply.
Van Hoof sees the GDPR as an opportunity for companies, “A lot of companies are seeing the GDPR as just another extra burden. Another cost. But I think it should be seen as an opportunity. Companies have been collecting data for a long time and aren’t even sure what data they have or whether they need it. They often don’t need it. GDPR will force them to re-examine why they collect the data, how long to retain it, how they process it, and overall be more efficient. It’s a chance to streamline not only the data but the processing around the data.