With the first wave of the General Data Protection Regulation (GDPR) settling down, now is a good time to consider the broader implications and how it will likely impact the future of data protection throughout the U.S.
The GDPR is a set of new rules designed to give European citizens more control over their personal data. While the GDPR is a protection law in Europe, it can also affect foreign companies that do business with European nations. Such data privacy protection regulations will likely hit the U.S within the next few years.
Preparing for the Future
Even if GDPR isn’t relevant to your business today, it is not too early to reassess how – and why – your company has been collecting data. Certainly if you are making significant new investments in technology, it’s important to be sure your new solutions will allow you to comply with stricter standards of data protection for global trade or to comply with tighter controls that may come from US regulations.
As every organization is unique in its data collection practices, it is important to reach out to your legal advisors and communications counselors to develop an understanding of your risks and put together your action plan. Neuger Communications Group can help you both implement and communicate about data protection but there are also critical steps that you can take today to be ready for a tighter standard in the near future.
1. Data Mapping
It is imperative that organizations understand how they collect, process, use and disclose personal data; how third-party tools are using your data; and what personal information they are storing. Consider whether the personal data is still necessary or whether it should be deleted. Understanding this data lifecycle is necessary to take appropriate steps toward ensuring you have the best data protection practices possible.
2. Privacy Notices
Organizations should review their current versions of privacy notices to ensure they are robust. If an organization does not have a privacy notice, one should be drafted and implemented.
3. Data Request Handling
The GDPR accords several rights to data subjects – such as the right to editing, erasure and data portability. It appears likely that this type of requirement will become law in the United States at some point. Organizations need to ensure their systems are capable of fulfilling these requests when a data subject rightfully requests these actions.
4. Data Breach Notification
Best practices dictate that a data breach is communicated as soon as feasible. For example, the GDPR requires a data controller to notify a privacy regulator within 72 hours of discovery of the breach. Therefore, organizations need data breach notification policies and procedures in place. Employees should be trained on what to do in this circumstance to ensure compliance.
5. Train the Team
An organization’s sound data privacy policy may require a cultural change about how an organization views personal data. It is important to make sure the entire organization is trained and informed on new data processing procedures and that compliance comes from every level of the organization.