Beginning May 25, 2018, enforcement of the General Data Protection Regulation will go into effect. Organizations across the globe conducting business in the EU will be impacted by this EU Parliament regulation, including but not limited to health care providers, media agencies, law firms and financial professionals. Businesses large and small need to prepare for changing regulations regarding the privacy of customer sensitive data, how and where it is stored, which devices it lives on and how it is accessed, lest they face significant violations leading to substantial fines.
Beyond the financial impact, consider the importance of stronger security for the privacy and protection of EU residents. With rampant, unprecedented cyber attacks affecting populations around the world last year, the need for unified data protection is now more relevant than ever. Companies that house a large amount of sensitive information could be especially vulnerable to attacks and data breaches this year, notably those in the healthcare and government industries. But make no mistake: Any enterprise operating on a global scale will need to take measures to protect stored data and abide by new GDPR policies.
Regardless of whether or not your business is located in or outside the European Union, if goods or services are directed to those in the EU, and your operations store personal data of people in the EU, GDPR compliance is required. Keep in mind that the storage any kind of identifiable personal data, including customer identification records, financial details, medical information, IP addresses, photos, and even names and email addresses, are all considered private data that will fall under the GDPR umbrella. How this data is collected, used and stored will be regulated under the new rules.
As part of our efforts to maintain GDPR compliance, we are rolling out an EU data storage location and migration process for BrickFTP users in advance of the May 25 enforcement date. We’ve also prepared a GDPR compliance checklist to ready your organization for the swiftly approaching changes in data protection and privacy.
1. Review Your Process for Maintaining Sensitive Records
Your organization should already have a unified, secure file-sharing and storage solution in place. A central storage solution also allows easier data deletion upon request. For example, if a qualifying person wants their data removed from a company’s system, it is harder complete this request if that data is scattered.
Now is the time to audit the process your team adheres to for uploading, transferring and archiving client information. This should include a conversation and general review that involves all key stakeholders and users throughout your business. Included in this review should be analyzing the security of your file-sharing software: who exactly has access to customer sensitive data, where it is being shared and how well it complies with changing data protection regulations. Parallel to this analysis, companies should draft a data map showing how data flows through their organization.
Is your solution storing data that is secure and encrypted? If a breach should happen, how well equipped is your team and your file server solution provider to respond and remedy the situation? There are many questions that should be asked ahead of time, and one of the most paramount actions you should take at this stage is unifying all data in a secure, centralized location. You’re opening yourself up to vulnerable attacks if information pertaining to citizens is floating around on multiple devices or in scattered locations. If part of your operations is to distribute private, sensitive data, keep it all in one controlled location that can be accessed only by authorized parties.
2. Determine Whether or Not You Need to Appoint a Data Protection Officer (DPO)
First, each global business needs to understand the distinction between a data processor and controller, as regulations for each differ under the General Data Protection Regulation. A controller is typically a business or organization that decides the means of collecting and processing personal data, along with the purposes for such. A processor, on the other hand, processes this data on behalf of the controller. Cloud service providers serve as a prime example of a data processor.
Both data processors and controllers will be responsible for complying with regulations that impact any action taken on collected data under the new General Data Protection Regulation. The regulations require a Data Protection Officer to be appointed when:
the processing is carried out by a public authority or body;
the ‘core activities’ of the controller/processor consist of processing operations which ‘require regular and systematic monitoring of data subjects on a large scale’; or
the core activities of the controller/processor consist of processing on a large scale of ‘special categories of data’ or personal data relating to criminal convictions and offenses.
Companies will need to assess whether they fall under one of the above requirements. While the DPO will be responsible for monitoring GDPR compliance, the liability for any violations remain on the company.
It is wise for organizations to form a committee or GDPR compliance team that involves legal, human resources and head of IT to both appoint and work with the data protection officer. The person in this position will need to report to the highest level of management and must have a keen understanding of new GDPR requirements and all legalities involved. The DPO will need to monitor how customer data is processed and stored, how compatible any current or prospective systems are, what to do in the instance of a data breach and notify relevant individuals of any attack on their personal files and information.
3. Revise Contracts and Update Policies
With new and evolved policies in place under the GDPR, including “Data Erasure,” data subjects may withdraw consent from the data controller to have their information stored. Clients will also have the right to know where their personal information is being processed, shared or stored and why. This will drastically increase transparency for businesses, as they will also be required to share a free copy of the client’s stored personal data electronically with the client.
Consent conditions will also be strengthened under new GDPR regulations. Clients must be able to clearly identify and understand how their personal information will be used and stored. Terms and conditions should not contain legalese or illegible jargon. Requests for consent should also be separate from other documents and should be written in simple language.
These are just a few of the numerous changes involved for businesses under the GDPR regulations. Any change involving how your team’s or customer’s data is being stored, accessed and shared should be clearly communicated with all involved parties.
Now would be a good time to seriously consider upgrading your business’s secure file sharing software. For example, making the switch from the small business cloud to enterprise BrickFTP plan ensures priority support in case of any potential risks with the security of your customer data, early access to new features and guaranteed compliance with your industry’s required laws and regulations.
4. Understand New Policies for Reporting Data Breaches
Notification of any serious data breaches to proper authorities within 72 hours will be mandatory when the GDPR goes into effect. If any individual’s personal data is lost, destroyed, changed, shared or accessed by an unauthorized source, data protection authorities must be informed within the designated timeframe.
The individual(s) affected must also be notified “without undue delay” and told precisely how the breach could affect or harm their privacy as soon as the issue becomes apparent. It is best to strengthen measures now to safeguard your organization and sensitive customer information from a cyber attack or data breach.
5. Document and Securely Store Data-Handling Activities
In addition to choosing a file hosting service to safely archive customer information, your organization should also find a place to securely store all documentation related to how it handles, processes and shares client data. Now is a great time to begin creating written processes that clearly detail what information will be stored, where it will be stored and who within the organization will be granted access to it and why. This will not only help enforce cohesion within the company, it will also be available should data authorities question how data is being handled by the company.
Documentation outlining the procedure that should be followed should a breach occur should also be stored in the same secure client document portal. Again, having one central location to store, share and access confidential internal files related to organizational procedures and sensitive client date is of the utmost importance.
Choosing a file storage solution with designated client portal can help foster transparency and trust — not to mention, it makes sharing how, where and why data is stored to EU residents seamless and simple for your entire team.
BrickFTP is taking changing GDPR rules very seriously and encourages all organizations to take preliminary measures to protect both your enterprise and sensitive client data. Contact us now to get in our priority list to gain access to our new EU server location.
The information contained herein is for informational purposes, and is not for the purposes of providing legal advice. You should consult with your attorney with respect to any specific issue or problem.