On May 25th, 2018, the General Data Protection Regulation (GDPR) will come into effect, changing the way organisations process, store and protect European Union (EU) citizen’s data. The GDPR will be the first piece of Europe-wide data privacy legislation and is the most significant piece of European data protection legislation in over 20 years. Contrary to popular belief, the GDPR will have sweeping implications for individuals and organisations across the globe, including the Caribbean and Latin America.
Businesses throughout the Caribbean have paid very little notice to the GDPR, with few aware of the implications the new regulations may have on their organisation. The Caribbean is highly reliant on cross-shore business. The region functions as a hub for the global financial industry, with citizens from all over the world investing and moving their money throughout the region. Therefore, many financial institutions in the region have the data of countless EU citizen’s, and as a result fall under the purview of the GDPR. As well, businesses in other industries such as tourism, law, real estate and construction are also in possession of significant amounts of EU citizen’s data. Organisations in these sectors must have plans in place to adhere to GDPR legislation, or they risk being fined and penalized. The GDPR allows for steep penalties of up to €20 million or 4% of global annual turnover, whichever is higher, for non-compliance. Penalties this strict could severely impact a company, reinforcing the need for compliance and vigilance.
The GDPR requires organisations with possession of EU citizen data to uphold strict security requirements such as:
- Firewalls properly configured with all software updates employed
- User Access Control Management in place
- Regular software updates, and appropriate patch management
- Real-time protection anti-virus, anti-malware, anti-spyware software
- Encryption of all portable devices
- Encryption of personal data in transit by using suitable encryption solutions (IPsec VPN, SSL, suitable)
- Intrusion detection & prevention systems
GDPR requirements also include non-security requirements such as the right to be forgotten, right to opt out, right of access, right to portability and right to object.
Many organisations in the Caribbean currently do not meet these requirements, and come May 25th, will find themselves in non-compliance with the GDPR’s regulations. A recent study by McDermott Will & Emery and conducted by the Ponemon Institute found that 40% of U.S and European companies polled do not expect to meet GDPR compliance requirements by May 25th. In the Caribbean, these numbers are expected to be higher, with fewer organisations being prepared for GDPR compliance. Organisations in the Caribbean run the risk of incurring fines and penalties and risk losing clientele as some clients will prefer to use vendors that meet these stricter regulations.
How to Prepare for GDPR Compliance
According to CSO, there are several key steps your organisation should take to prepare for GDPR compliance:
- Conduct a thorough risk assessment. Ensure you understand where your data is stored and what type of information your company processes for EU citizens. You want to know which applications your organisation uses and how they each process data.
- Involve all stakeholders in the planning and assessment process. Create a task force that includes members from all departments.
- Create a Data Protection Plan. Your organisation should already have one, but it’s important to review it and ensure it aligns with GDPR requirements.
- Implement measures to reduce risk. Once you’ve identified the risks, take the steps to minimize these risks and ensure compliance is met.
- Create a plan to track GDPR Compliance & Progress and ongoing assessment.
- If your organization is small, ask for help!
As legislation around data protection and security continues to intensify, it is impossible for organisations to ignore compliance as our world becomes more connected through technology. According to a survey conducted by Varonis, 74% of companies believe that by complying with GDPR requirements they will have a competitive advantage, as their compliance will boost consumer confidence. More importantly, the technical and process improvements necessary to meet the requirements will enable efficiencies in how they manage and secure their data, providing organisations with several favorable reasons to be GDPR compliant. Therefore, it isn’t too late to prepare for GDPR legislation, and to continue finding ways to improve business processes to protect and secure consumer data.