For instance, not only do organisations need to put in place a clear privacy policy to be provided to anyone it holds data on, but they also need to be able to provide them with a copy of their personal data in a format that can be easily electronically transmitted.
Organisations will also need the capability to delete all customer data on request under the 'right to be forgotten'. This part of the regulation is already influencing the behavior of search and social companies, such as Google and Facebook, as they prepare for GDPR.
TRP Are organisations prepared for the roll-out?
LT It seems that few are indeed ready. According to a recent Ipswitch survey of 316 European organisations, more than half (56 percent) of respondents could not accurately identify what 'GDPR' means.
Over half of respondents (52%) admitted they were not ready for GDPR, and over a third (35%) confessed to not knowing whether their IT policies and process were up to the job. Only 14 percent of respondents could correctly identify that the GDPR is due to come into effect in late 2014/early 2015.
Despite the lack of awareness of regulatory change, when asked about priorities for 2015, only 13 percent said they planned to spend more time understanding and preparing for regulation. A quarter (26%) said they wanted to spend more time reviewing and tightening security policies and a further quarter (26%) said they wanted to be able to spend less time on manual reporting and auditing.
In addition to testing the readiness of IT professionals, the survey also revealed that very little thought has been given to whether an organisation's Cloud Service Provider (CSP) is ready for the change. Although 79 percent of those surveyed retained the services of a CSP, only six percent of them said that they had thought to ask them whether they were ready for the GDPR.
TRP What can organisations do to ensure they meet these new regulations?
LT GDPR includes an obligation to protect personal data across the borderless enterprise. IT professionals should review and bolster their data processing policies and practices now, before the regulation comes into effect.
There are practical steps that can be taken now to ensure that policies, procedures and technologies run by organisations are up to the job of complying with the GDPR. Contracts with data processors and Cloud Service Providers need to be reviewed.
Set out to know exactly where your cloud data is hosted and understand how it is backed up and encrypted. Begin to set up procedures now to start securing explicit consent for the collection and processing of personal data.
Once confident in their systems and procedures, organisations will be able to apply for an EU Data Protection Seal which will be a five year certification of their processes.
- As VP of International Sales, Loic Triger is overlooking all activities related to sales in EMEA, APAC, and Latin America for Ipswitch File Transfer.
