The new General Data Protection Regulation (GDPR) legislation enacted this May came packed with some serious headaches for corporate gatekeepers responsible for protecting users' personal information and unprecedented penalties for those who don't adhere to it. And it's not just impacting organizations in the 28 countries of the EU. If you track, hold and manage data for anyone that lives in them, you're on the hook.
While there's no magic bullet to get you on the right side of this sweeping legislation fast, there are a handful of things to help your marketing and IT departments make the changes needed now.
Here’s what you need to know about keeping the user data you are entrusted with safe and in compliance.
What You Need to Know
You’re running a business. Chances are communications are a big part of your day-to-day life with clients, suppliers and staff and that the bulk of those communications are electronic. Emails, text messages, chat channels, forums, Google Docs and social media are all part of a constellation of conversations and content that make up many corporate communications ecosystems.
With small businesses making up the overwhelming majority of the workforce (in the U.S. firms with fewer than 500 workers accounted for 99.7 percent of businesses according to data from the Census Bureau’s Annual Survey of Entrepreneurs), there are bound to be a lot of scattered communications systems cobbled together to get the job done cost-effectively and with as little friction as possible.
But at what point does this become a real liability? The popular and often free tools of the day may offer an easy way of sharing information and knowledge without requiring a huge budget and lots of technical know-how, but depending on them as part of your organizational strategy invites two questions: “who’s watching the gatekeepers?” and "how is that putting us at risk?" ...
This past year has seen both a major reckoning on this point in the wake of the Facebook-Cambridge Analytica scandal, (with the personal information of 50 million users being affected,) and a monumental response in the new General Data Protection Regulation (GDPR) legislation, giving consumers more power -- and, consequently, businesses more reasons to be both vigilant and concerned -- than ever before.
Here’s what you need to know right now about keeping your corporate content and communications, and the data of the users you are entrusted with, safe and in compliance ...
1. What do I need to know about the GDPR?
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) came into effect this year on May 25th, strengthening the rights of individuals to hold those who collect and store their data to account like never before, with a promised heavy enforcement that includes fines of up to €20m (£17.5m) or 4% of the company’s global turnover for those who breach it.
How will it affect my organization?
While consumers are bound to relish their new empowerment in the wake of the Facebook - Cambridge Analytica scandal (more information here and here) and Google’s recent admission of their own multi-year data breach (resulting in the end of Google+), this powerful new legislation has many businesses worried and scrambling to ensure they’re in compliance.
In the simplest terms, the directive states that companies must let their customers know why they hold their personal data, and set out what data is held and how this data will be used. They must also be sure to store it securely.
But the GDPR is legislation covering the European Union and my company isn’t even there.
While the GDPR directly impacts the 28 countries that currently make up the EU (Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK) it is not limited to businesses operating within those countries.
"GDPR applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location. If an organization offers goods or services to, or monitors the behavior of EU residents, it must meet GDPR compliance requirements." (SOURCE: Kris Lahiri, Co-founder, Chief Security Officer, Egnyte via Forbes)
2. Where can I get checklists and tools to help me with compliance?
The expectations of the GDPR are going to mean digging deep into your organizational practices and ethics and acting on them transparently.
Not ready? You're not alone. According to Gartner less than 50% of the organizations impacted by the GDPR are likely to be compliant.
This legislation has a very broad impact, and one that can't be solved with a simple checklist to ensure your company is compliant. It's intended to instill a larger sense of corporate responsibility for the way that personal information is collected, stored and handled. There are, however, a handful of terrific resources to get everyone from your marketing department to your CIO and security and risk management leaders where they need to be.
Sample forms and documents
TechPro made samples of some of the key resources you'll need available here:
- GDPR consent request forms: Sample text
- GDPR data breach notification letter
- Hiring kit: GDPR data protection compliance officer
Checklists to move toward compliance
Other helpful resources that step you through the actual process of setting up include:
- codeinwp's "6 Key Steps to Ensure GDPR Compliance – The Steps You Need to Take Right Away"
- ZDNet's marketing department lifesaver "GDPR compliant? Here's a handy five-step preparation checklist"
Unpacking the complexity of the legal language
If you're in the business of treating data as a product (marketing firms and the technology companies that service them, for instance) you'll want to tap into proper legal resources to make sure you're doing this right given the size of the penalties attached to landing on the wrong side of the GDPR. The people whose data you are managing have powerful new rights, including:
- The right to be forgotten
- The right to data portability
- The right to be informed (in case of a data breach, or to receive an explanation, for example, in machine learning systems’ automated decision making)
You can find the full text of the official GDPR broken down section by section on the web with a downloadable PDF.
There are a variety of resources available to help you unpack the complexities of this new legislation, including:
- the EU GDPR.org portal
- the actual GDPR website
- Gartner's "The Top 10 Basic Changes Needed for GDPR Compliance" on-demand webcast (helpful for CIOs and security and risk management leaders)
- TechRepublic's "Best practices for reducing GDPR liability" video in under 10 minutes.
3. How can a communications hub help me meet GDPR requirements?
It can be a headache to accurately inventory and map all of the data the GDPR requires you to protect, and to act on requests to correct and erase personal data, when it's not only stored on your own network but also on those of various cloud providers.
Identifying and prioritizing gaps in your GDPR compliance program and ensuring continued adherence can sometimes be easier to manage from a centralized resource. There are a variety of different platforms to help your organization through risk assessment and the automation of data discovery, data classification and monitoring. The ideal platform might allow you to continue using your favourite tools while integrating them into a centralized hub that automates the key points of GDPR compliance, including:
- ☑ the management of opt-in consents for contact and email marketing
- ☑ minimization of the amount of private data you are storing
- ☑ an auditable log of when, how and from what IP address consent was granted
- ☑ the ability to identify stale/inactive user accounts
- ☑ the automation of user provisioning and deprovisioning (create, modify, activate, deactivate, and delete user access to services and files)
- ☑ adherence to the 'right to be forgotten' requirement
- ☑ the enforcement of strict control over access to data
- ☑ an individual rights request portal
- ☑ data processing activity records
- ☑ timely detection of suspicious activity
- ☑ data breach notifications
At InspireHUB, we've made it our business to do these things well.
We know how important it is to both protect client data and privacy and to ensure the conversations and content that drive your internal and external communications are safe as well. Our IHUBApp lets you create content and also integrate a variety of third-party tools (calendars, YouTube videos, Google Docs and Sheets, Salesforce, and more), manage access to and share that content from a centralized hub that supports the transparent management of consent throughout the customer life-cycle and helps your organization provide the evidence required to prove that your IT security program adheres to the GDPR.
Let us help you take control of your communications!
Let us show you just how much we can help you save in time and money while increasing your employee engagement. Our proprietary ROI calculator will help you understand the impact to your organization. so you can see exactly what these statistics actually mean in hard dollars in your OWN company.
Internal communications are essential to a company's growth and success. It impacts morale, productivity and revenue.
You might be surprised to learn the numbers behind the way businesses are using technology to boost employee engagement and the bottom line.
The corporate Intranet plays an important role in internal communications. Intranet 2.0 is the "social intranet."
While the types of tools and the way they are used widely varies, studies offer insight into the communications barriers and boosts for productivity and employee engagement.