Cold weather has set in in many parts of the U.S., but for those wanting relief, I suggest you think ahead to the month of May.
By next May, many nice things will be happening. It will be spring, the flowers will be blooming, and the PGA’s Players Championship golf tournament will take place as it does every May, in Florida at Sawgrass golf course, with its devilish island green.
However, I feel I have a duty to remind you of something else that’s going to happen that month, something almost as devilish as Sawgrass’s 17th hole.
On May 25, 2018, the European Union’s new General Data Protection Regulation (GDPR) goes into effect.
From that day forward, if you are a covered organization that is not compliant with the GDPR’s new standards for safeguarding personal information, you are subject to being hit with heavy fines.
If you think that your company is not ready for GDPR—and if you enjoy subjecting yourself to stress—I suggest you pay a visit to the official GDPR website. The GDPR website has a countdown clock ticking down how much time is left until the big day.
As of this writing it says: 162 days, 5 hours 33 minutes, and 19 seconds.
In this article I’ll try to help relieve some of your GDPR stress.
I’ll start by reminding you of what the GDPR is all about and giving you some do’s and don’ts on how to meet its requirements.
Then I’ll explain how the business continuity process can help you get ready for the new regulations. Finally, I’ll give you a heads-up about two aspects of the GDPR that have a special bearing on those of us who work in business continuity and disaster recovery.
The General Data Protection Regulation is a strict new data privacy standard that has been agreed to by the countries of the European Union.
It’s a lot stricter than any such protections we have in the U.S.
The GDPR applies to companies that have a presence in an EU country or which process the personal data of residents of those countries. Companies with under 250 employees are not required to comply—unless those companies process sensitive data or a great deal of data.
The upshot is, almost every company that does business in Europe or touches the data of EU residents will have to comply.
And the penalties for noncompliance can be steep: up to 4% of annual global revenue, or €20 million.
What does the GDPR protect? The personally identifiable information (PII) of people living in EU countries, including: name, photograph, email address, bank details, medical information, information relating to political beliefs or sexual orientation, and even computer IP address.
Many companies will also need to appoint a data protection officer (DPO) to ensure they are being sufficiently careful with people’s personal information.
Here are my do’s and don’ts for getting ready for the GDPR:
The good news is you can use the regular, time-tested business continuity process to get a handle on your readiness for GDPR. The business continuity process can also help you in becoming compliant.
For example, the business impact analysis (BIA) can help you figure out what data you are processing that falls within the scope of the GDPR. If you have done a good job in your BIA, you should already know which of your systems and applications contain vital records that are covered by the new regulation.
Similarly, you can modify your BCMMETRICSTM Compliance Confidence (C2) dashboard for GDPR compliance.
As far as what to do when, I would suggest that you first use a tool such as C2 to assess your level of compliance and determine whether you actually have an issue. Then use the results of your BIA to help you understand what specific processes, systems, and data you are using that could fall under GDPR.
Finally, there are a couple of little wrinkles to the GDPR that everyone involved in business continuity and disaster recovery should be aware of.
First, there will be new restrictions on data portability. Under the GDPR, what happens in Europe stays Europe. This means, if you have a disaster in Europe after May 28, you will probably not have the option of recovering the affected personal data in another country such as the United States.
As the date of GDPR enforcement approaches, business continuity managers will need to understand its impact on their recovery strategies and make adjustments as necessary.
Second, under GDPR companies will have to report data breaches within 72 hours. Fines for breaches will depend in part on the effectiveness of the company’s response. The GDPR makes it more imperative than ever that companies bring their A game when it comes to disaster preparedness and incident response.
Assuming that it took you three minutes to read this post, that’s three minutes less that you have to get ready for the GDPR.
Better get moving!
BCMMetricsTM can help. We can modify our online Compliance Confidence tool (C2) to evaluate GDPR compliance. The tool guides you through a simple assessment activity that evaluates your level of compliance to determine whether you actually have an issue. It’s flexible, to match the specific characteristics of your business, and can be completed entirely on your own. You’ll come away with a better understanding of where you need to focus your continuity efforts—and where you may already be wasting valuable time and resources.
The BIA On-Demand (BIAOD) tool acts as a business impact analysis template, ensuring you ask the right questions to help you understand what specific processes, systems, and data you are using that could fall under GDPR. And it’s simple to migrate the results gathered from your business impact metrics into a BIA report to share with the executive team—with a few clicks you can generate details on each business unit, providing authoritative and insightful information for all stakeholders.
It’s never been easier to build a world-class business continuity program. If you’d like to know more, schedule a free demo of our tools today.