Get Ready for GDPR: Make Sure You’re in Good – and Compliant – Company

​A few weeks ago, we discussed The General Data Protection Regulation, known as GDPR – the massive regulatory framework that was approved by the European Union and will take effect May 25, 2018. The new regulation will change the internet as we know it forever, shifting the ownership of information from organizations back to consumers. Not only does it require European companies to take steps to protect consumer data, it also requires all organizations that handle data from European citizens to protect consumer data, even if that company isn’t based in the EU. And the penalties for not doing so are incredibly high: either €20 million ($24.5 million) or 4 percent of a company’s annual turnover.

Your Organization’s Data Footprint

​This requirement has forced companies both large and small to take a close look at their data footprint– itself an incredibly complicated process. You have to get a comprehensive picture of what client data you have. You have to understand exactly how GDPR’s requirements apply to you in terms of protecting that data. And you have to make sure that you develop your cybersecurity procedures and defenses in such a way that, should a breach occur, you can easily and clearly explain to the authorities and affected individuals exactly what happened and how you complied with GDPR in handling it.

​This is difficult enough to do in-house – but it becomes even more complicated when you consider that many organizations bring on vendors to help in all different kinds of capacities. And if you’re handed over your sensitive client information to this outside vendor and the vendor is hacked, you’re in trouble. But if the vendor is hacked and they’re not GDPR-compliant, not only have the legal implications multiplied – your organization could potentially owe millions in fines.

Vetting your Vendors

​As you continue to prepare for GDPR, keep an eye on what data goes out the door and don’t be afraid to ask tough questions of the vendors who have access to it. It’s important to make sure that they’re GDPR-compliant – not simply in order to avoid liability, but because you want the kind of people on your side who can help you navigate a breach should your organization find itself in one.

​This also applies to any new organizations you bring on to help you manage cybersecurity concerns – whether it’s a legal team to help you get your arms around the complexities of the regulation, an insurance company that can help your clients recover in the event of identity theft or a forensics team you have on-call to help you deal with a breach. It also applies to vendors who have nothing to do with cybersecurity, such as marketing or communications firms. If they get their hands – or their eyes – on client data, they should be compliant.

​There’s no denying that getting prepared for GDPR will require a good deal of work – for leadership, employees and even for consumers. But investing now in finding the right vendors will give your company an edge and prepare you for smooth sailing for decades to come.