Data breaches have become more and more common. The Equifax data breach that was made public in September 2017 impacted 143 million Americans – nearly half the population of the United States. Data stolen included social security numbers, driver’s license numbers, and likely full names, addresses, and other highly sensitive data. In December 2017, it was discovered that marketing analytics company Alteryx had personal data on more than 120 million American households sitting in an unprotected database on Amazon Web Services.
The European General Data Protection Regulation (GDPR) is designed to add more layers of security protection to minimize the risk that similar breaches will impact citizens of the European Union (EU). Slated to take effect on May 18, 2018, the GDPR will apply to any organization that does business with citizens of the EU.
For non-compliance with administrative, processing, or collection obligations the penalty is either €20 million or a 4% fine on your annual global revenue – whichever is higher. Any company that is not already prepared should start taking steps now to minimize the risk of time-consuming investigations, loss of revenue, and – in the event of a breach – loss of reputation and customers.
What can you do to prepare? In 2016, Gartner laid out a suggested five-step framework. While the information is not new, it has clearly not been absorbed: Gartner predicts that more that 50% of affected companies will not achieve full compliance by the end of 2018 – more than six months later than the GDPR deadline. While some may consider that there is safety in numbers, in reality this means there is a higher likelihood of administrative breaches and the resultant penalties.
Step 1: Determine your role
GDPR regulations affect all businesses that process the personal data of EU citizens, regardless of the location of that business. If you offer any goods or services to European citizens, the GDPR applies to you. The first step you should take is to appoint a representative to act as a point of contact (POC) for the Data Protection Authority (DPA) and data subjects.
Step 2: Appoint a data protection officer
If your organization is public, processes a high volume of data transactions, and/or deals with sensitive data that requires monitoring, appoint a data protection officer (DPO). This person’s responsibilities can include GDPR compliance monitoring, informing employees about each of their obligations, advising on impact assessment and performance, and acting as the point of contact on issues related to processing.
Step 3: Demonstrate accountability in all processing
Accountability is key to the GDPR. Organizations must demonstrate an accountable ground posture plus transparency in all decisions relating to the processing of personal data. This extends to any third parties involved. Important to note: accountability includes “proper data subject consent acquisition and registration” – which means active opt-in and no more implied consent.
Step 4: Check cross-border data flows
Personal data transfers and processing are only allowed within the EU and in select countries deemed to have an adequate level of security. Right now, that includes the 28 EU member states, Norway, Liechtenstein and Iceland plus 11 other countries that the European Commission (EC) has deemed to have an “adequate” level of protection: Andorra, Argentina, Canada (for commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. EU-based data controllers will need to ensure the appropriate controls are in place using the new GDPR mechanisms. Data controllers outside of the EU should select the appropriate safeguards to ensure compliance such as Binding Corporate Rules (BCRs) and standard and contractual clauses (e.g., EU “Model Contracts”).
Step 5: Know your data subject rights
Under the GDPR, data subjects have extended rights, including the right to be forgotten, the right to data portability, and the right to be informed (in the event of a data breach). If your business isn’t prepared for breaches and for people exercising these rights, it’s time to start implementing additional controls.
 “Focus on Five High-Priority Changes to Tackle the EU GDPR,” 2016, Gartner
 “Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation,” 2017, Gartner Newsroom