The General Data Protection Regulation (GDPR) is a new privacy regulation in Europe that protects the personal data for any individual based in the European Union (EU), regardless of citizenship or where the data is held. It applies to any organizations located inside or outside the EU if they offer goods or services to — or monitor the behavior of — EU data subjects. The GDPR will be enforced in May 2018 and outlines strict fines for companies found to be out of compliance. Now is the time for SAP customers to establish a process for adhering to the necessary requirements.
To be compliant — and stay compliant — with the GDPR, companies need to be mindful of four critical areas: policies, procedures, protocol, and people (see Figure 1).
Identify a risk team to conduct a risk assessment. Evaluate and determine which data falls under the GDPR, where that data resides, and how it moves through the system. Once the inventory of personal data is complete, establish a policy for handling that data in compliance with the regulation. There should also be a policy around proper security controls to prevent external or internal exposure of personal data. All potential risks should be categorized and relayed to data stewards or owners before a specific policy is put in place.
Existing procedures for collecting and storing data must be adapted to be fully GDPR compliant. In some cases, this may require an overhaul of existing procedures. In others, retained information may no longer be required, thus eliminating some procedures altogether. Examples of well-established procedures that will need to be reexamined include informing individuals when and why personal data is collected and requesting that individuals give explicit consent to retain personal information.
Develop a protocol for how you will handle situations in which individuals want to invoke the GDPR. You need to consider areas such as: Who will be responsible for handling inbound requests? What is the procedure for addressing said request? What are the cases where information needs to be kept for legal, business, or other reasons? Each area should be thoroughly considered with the protocol clearly communicated to all key stakeholders.
Educate your customers, vendors, and employees about the GDPR and relay the steps you are taking to safeguard their personal information. Let them know how much you value their privacy and your role as the custodian of their personal data. Be sure to give them peace of mind that you are taking the regulation seriously and approaching it carefully and swiftly. In the end, they will thank you — and your organization can rest assured that you are in full compliance.
Be Compliant, Stay Compliant
The GDPR will affect SAP customers worldwide, regardless of whether they are located in the EU. With strict fines and regulations, non-compliance could be costly for the unprepared company. By building your approach to the GDPR around these four critical areas, you can ensure that your company is compliant and stays compliant in the future. To learn more, visit www.dolphin-corp.com/compliance.