Many US companies are anxiously getting ready for May 25, when the European Union's General Data Protection Regulation (GDPR) becomes enforceable. GDPR is a regulation within EU law centered on data protection and privacy that addresses the export of personal data outside of the EU. GDPR regulates the use of personal data of natural persons who reside in the EU by any organization around the world. US companies processing data of EU residents need to comply, or face heavy fines and other penalties.
GDPR has replaced the Data Protection Directive 95/46/EC, a previous law governing personal information in the EU, which was adopted in 1995- before the advent of social media, the commercial world wide web, and big data. This new regulation will come into effect in May of 2018 after a two year transition period that allowed for organizations to adjust their practices to comply.
With GDPR, the definition of personal and sensitive data has widened to include health, biometric, and genetic data, as well as cookies and IP addresses. The new regulation requires minimized processing of any information or data that would allow someone to directly or indirectly identify a natural living person. Therefore, certain ways of doing business in this era of big data may not be allowed under this regulation. Tim Walters, Principal Strategist, and Chief Privacy Lead at The Content Advisory, couldn't have put it better- with GDPR looming, organizations need to "put their data house in order." See the podcast link below for the full interview of Tim Walters.
Many different departments within your organization may be using customer's personal data including Marketing, Public Relations, Sales, Customer Service, IT, and Compliance. Companies need to create policies and procedures for all records containing personal data. Every business process within your organization that uses personal data should be examined to ensure compliance with the new regulation.
But how can you govern your information to ensure compliance if you don't know what or where that information is? Identifying and understanding your information assets is essential to complying with the GDPR regulation.
The first step is creating an inventory of those information assets - knowing what and where your records are throughout your organization. This will allow your organization to identify where personal data is stored. What applications that store personal data are used by different departments? Are employees using personal drives or devices to store any personal data? What records that your company creates, generates, manages, or stores contain personal data?
Creating an inventory of all your organization's records is the foundation to governing your information assets and complying with GDPR.
Software tools like iGMapware allow you to identify the records within your organization, and analyze where all customer personal data is stored - including what media it is in, what types of personal data it contains, security level within your organization, location of the asset, third parties that may hold an original version or copies, disposition instructions, and more.
Contact us to hear more about how iGMapware can assist you with GDPR compliance. Our software and consulting services can help you optimize your records management and compliance programs to effectively govern your information and put your data house in order.
Helpful resources for GDPR compliance: