How to prepare your company for the basic data protection regulation

Many companies are still not sufficiently prepared for the new directives. The European security software manufacturer ESET has compiled some tips that IT managers can use to make their company fit for the new requirements of the EU General Data Protection Regulation (GDPR):

1. Bring the issue to the attention of management: All key decision-makers in the company should be aware of the impact of the GDPR and what it means for day-to-day operations. Therefore, also inform the management about the importance of the topic.
2. Check how your company processes data: Until now, companies have had to deal with the protection of personal data to varying degrees. However, starting next year, all companies will be responsible for protecting data. To get an accurate understanding of how data is handled in your company, you should put the current methods of data processing to the test. This will help you identify the extent to which your company still needs to prepare for the changes.
3. Appoint a data protection officer: Data protection officers are becoming important contacts, especially for public authorities and third-party companies. They work independently and report directly to the management. Their most important task is to have comprehensive knowledge of all aspects of the General Data Protection Regulation and to implement all necessary compliance and security measures.
4. Involve all stakeholders in the analysis: Before assessing the security of stored personal data, companies need to determine where the data is stored, who is responsible for managing it, and who has access to it. Involve both the data protection officer and the IT department in this process! This gives decision-makers a better idea of the measures taken so far.
5. Investigate past data breaches: By examining previous security vulnerabilities in the system, you not only get a clearer idea of what options your company has to respond to future attacks. You also check whether the procedures meet the future requirements of the GDPR. For example, security breaches must be reported within 72 hours of discovery, along with the nature and severity of the incident. Companies that do not adequately prepare their systems for this must expect heavy fines in the event of an emergency.
6. Consider the personal rights of individuals: One of the main objectives of the new regulation is to strengthen the rights for individuals, including the right to erasure of data and data portability. The latter means, for example, that individuals can take their data to a competitor of your company. Companies have an obligation to promote these rights. Therefore, it is important to establish appropriate procedures to make this possible.
7. Place value on consent to data processing: The GDPR aims to provide clarity when it comes to the issue of consent to the processing of personal data. New measures require companies to demonstrate unambiguous consent or "clear affirmative action". The new guidelines aim to protect children, for example, from agreeing to data processing without parental consent. It is therefore worth checking which practices are already established to inform users about the use and processing of their personal data.
8. Last but not least: Support the necessary measures already today: The measures required to implement the new GDPR can put a great strain on a company's infrastructure. Additional resources available in the right place can determine whether a company can meet the requirements in time. Therefore, plan ahead so that IT managers have the necessary resources available at the crucial time to meet all compliance requirements.

For more information on the General Data Protection Regulation, please visit an ESET specially designed pagewhich supports companies in preparing for the GDPR.

Source: ESET