5 Steps Companies Doing Business in the EU Need to Take Now

Protecting customer and employee data should be at the top of every major corporation’s priority list. Your customer and employee trust depends on it.

And if you are a global company with offices, employees or customers in the EU then you should pay close attention to the new centralized, formal rules that now apply to any EU member countries, called the General Data Protection Regulation (GDPR).

On May 25, 2018, the GDPR goes into effect, building on the existing data protection regulation act and imposing stricter rules on how companies handle data. The introduction of GDPR will change how organizations can store and use personal information.

It is critical to understand the GDPR’s principles and set up the necessary infrastructure and processes to ensure compliance or risk facing steep penalties, which can be up to €20 million or 4%  of global annual revenues — not profit — for the preceding financial year, whichever is greater. There are additional fines for infractions such as not having sufficient customer consent to process data, not having records in order, and not notifying the authorities and data subject about a breach.

So, if you have offices, employees or customers in the EU or have plans to expand into member countries, you’ll need to be prepared. And, even with Brexit impending, it’s likely that the UK will adopt the same regulations.

Here are 5 steps you should be taking now to prepare:

1. Designate a data protection officer

For companies processing large amounts of personal data, the GDPR mandates the appointment of a Data Protection Officer (DPO) – like me – whose job is to ensure compliance with the regulations. This person should be an expert on data protection law, business practices, technology and security. GDPR guidelines suggest the DPO should be located in the EU.

The DPO should be involved in every aspect of protecting data from the beginning of system development and throughout the process in a key decision-making role and report to the highest level of management.

Individuals with this skillset can be difficult to find, so you should be recruiting now if you have not yet appointed someone. The DPO can be an existing employee or from an external source, however, senior managers – the entire C-suite as well as heads of marketing, HR and IT – are not allowed.

2. Protect all your data

One of the main goals of the new regulation is to ensure the protection of personal data. This means that data must be stored safely and securely. Internally, data security must be well-organized too: only a limited amount of people should have access to the confidential information. Close collaboration with IT, compliance, legal and finance teams is necessary to find the right balance between data retrieval and how to protect that data from external threats.

Externally, if sub-contracting or sub-processing is used (for example, through the cloud) companies must select a provider with adequate guarantees (in particular, security of data transfers and storage). They must have a contract covering all required aspects of the sub-contracting / sub-processing, ensuring support of the provider in case of incidents, and ensuring the capacity to recover the data and have it deleted at the end of the contract.

Companies may have to review their current ecosystem of providers, guarantees and the contracts they have in place to comply with GDPR.

3. Conduct a Privacy Impact Assessment

A Privacy Impact Assessment (PIA) is a systematic process to assess how customers’ personally identifiable information (PII) is collected, used, maintained and disclosed to ensure it is adequately protected.

Working with your DPO, the PIA should be conducted throughout the development lifecycle of a system, but especially before you start collecting data in the first place. When risks are identified, the GDPR expects you to employ measures to address them, such as encryption, continuity plans or backups of the data. Risk may sit with technology (security of the network, vulnerabilities in the software) or in the organization and the people (access management, background checks, dissemination of the data, etc.).

4. Be prudent with your data

Under the new regulations, organizations may keep personal data only as long as it is needed. For example, the data of job candidates who are not hired should be deleted shortly after the recruitment process, unless candidates have given explicit consent. The same applies to the data of current employees. Any data companies hold on their employees must be for good reason.

Previously, companies would collect generic data like civil status, number of children, driving license etc. But now it will be more difficult to justify collecting data not directly related to the role or management of the employee. Storing personal contact information for use in the future without permission is not permitted by the new data act.

Also, the data of employees who leave your company for any reason may only be retained for a limited amount of time, which will certainly effect the offboarding procedures of many companies. “Delete employee data” must be on your drop-down list of offboarding procedures such as “Hand in work laptop,” “Hand in work phone” and “Hand in key.”

Article Continues Below

5. Provide transparency and accountability

As of the May 25, 2018 deadline, companies are also required to provide insight into how and where employee data is stored and processed. For information that requires employee permission, their consent must also be held by the company. This is not final, employees have the right to withdraw their permission.

It should also be made clear who has access to what data. To make this transparency possible, companies must critically review their current architecture of stored data. Does the current way of archiving meet the stricter requirements or should processes change? In particular, companies will have to document and prove how they comply with the new law.

With the GDPR, companies must also notify authorities and customers of data breaches within 72 hours of becoming aware of the incident, maintain records in order to provide customers confirmation if their data is being used and how, provide them a copy of their data if requested and allow them to have their data erased.

Overall, your goal should be to ensure accountability to protect your customers and employee and earn their trust. As you develop systems that process customer data, employ the principles of “privacy by design,” proactively embedding data protection in your processes, “privacy by default” using methodologies that minimize identifiability, observability and linkability as a default, and don’t forget to include your ecosystem of partners and vendors.

This post originally appeared on ReWork, the Cornerstone On Demand blog.

José Alberto Rodríguez Ruiz

José Alberto Rodríguez Ruiz is Cornerstone's data protection officer. Based in the company’s Paris office, Rodríguez has been with Cornerstone since 2009 and is now responsible for protecting the privacy of the data of Cornerstone's clients worldwide, ensuring Cornerstone data centres meet global and geographical requirements and helping clients with their privacy obligations.