On May 25th, 2018, the General Data Protection Regulation (GDPR) officially came into effect, changing the way organisations process, store, and protect European Union (EU) citizens’ data. The GDPR is the first piece of Europe-wide data privacy legislation and is the most significant piece of European data protection legislation in over 20 years. Since its implementation, the GDPR has had sweeping implications for individuals and organisations across the globe, including the Caribbean and Latin America.
While few Caribbean countries were initially aware of the implication of the new legislation, the past decade has seen widespread adoption of data protection legislation and regulations based on the principles outlined in the GDPR. As a result, far more businesses throughout the Caribbean have taken the necessary steps to adapt, and rightfully so. As a region, The Caribbean remains highly reliant on cross-shore business.
The region functions as a hub for the global financial industry, with citizens from all over the world investing and moving their money throughout the CARICOM community. Under EU regulations, these organizations qualify as data processors and therefore fall under the purview of the GDPR. But the financial industry is not the only one impacted. Other industries such as tourism, law, real estate, and construction are also often in possession of significant amounts of EU citizens’ data. Organisations in these sectors must have plans in place to adhere to GDPR legislation, or risk being fined and penalized. The GDPR allows for steep penalties of up to €20 million or 4% of global annual turnover, whichever is higher, for non-compliance. Penalties this strict could severely impact a company, reinforcing the need for compliance and vigilance.
The GDPR requires organisations with possession of EU citizen data to uphold strict security requirements such as:
- Firewalls properly configured with all software updates employed
- User Access Control Management in place
- Regular software updates, and appropriate patch management
- Real-time protection anti-virus, anti-malware, anti-spyware software
- Encryption of all portable devices
- Encryption of personal data in transit by using suitable encryption solutions (IPsec VPN, SSL, suitable)
- Intrusion detection & prevention systems
GDPR requirements also include non-security requirements such as the right to be forgotten, right to opt-out, right of access, right to portability, and right to object.
Despite the progress made surrounding GDPR compliance, many organisations in the EU do not meet these requirements. In the Caribbean, these numbers are believed to be higher, and so are the risks. Organisations in the Caribbean run the risk of incurring fines and penalties and risk losing clientele as some clients will prefer to use vendors that meet these stricter regulations.
How to Become GDPR Compliant
According to CSO, there are several key steps your organisation should take to become GDPR compliant:
- Conduct a thorough risk assessment. Ensure you understand where your data is stored and what type of information your company processes for EU citizens. You want to know which applications your organisation uses and how they each process data.
- Involve all stakeholders in the planning and assessment process. Create a task force that includes members from all departments.
- Create a Data Protection Plan. Your organisation should already have one, but it’s important to review it and ensure it aligns with GDPR requirements.
- Implement measures to reduce risk. Once you’ve identified the risks, take the steps to minimize these risks and ensure compliance is met.
- Create a plan to track GDPR Compliance & Progress and ongoing assessment.
- If your organization is small, ask for help!
As legislation around data protection and security continues to intensify, it is impossible for organisations to ignore compliance as our world becomes more connected through technology. According to a survey conducted by Varonis, 74% of companies believe that by complying with GDPR requirements they will have a competitive advantage, as their compliance will boost consumer confidence. More importantly, the technical and process improvements necessary to meet the requirements will enable efficiencies in how they manage and secure their data, providing organisations with several favorable reasons to be GDPR compliant. Therefore, it isn’t too late to prepare for GDPR legislation, and to continue finding ways to improve business processes to protect and secure consumer data.