The European Union’s General Data Protection Regulation (GDPR), enacted in May 2018, was the most sweeping set of new privacy standards to appear in decades. Because of its scope, and the increasingly global nature of financial and supply chains across all industries, GDPR has had ramifications far beyond Europe. Any company with ties to the continent has had to amend their contracts, and after nearly a year in the post-GDPR world, many businesses are still navigating the situation in order to ensure their standing among European partners and suppliers.
Many of SC&H Group’s partners rely on us to handle their sensitive data, so we have had many conversations about GDPR regulations in the last year, and gotten a sense for the challenges that many organizations face when trying to accommodate the new requirements. Third-party security certifications can be a considerable resource commitment, so what can you do right now, on your own, to remain in good GDPR standing and keep your purchase orders coming in? Here are seven practices we’ve seen in the past year:
- Designate a person or group internally to ensure compliance with data-protection requirements.
GDPR surely isn’t the only existing data-protection requirement your company is beholden to. Others have been enacted by different countries, industries, even particular businesses. If anything, GDPR is just the most recent and most wide-ranging of a growing web of regulations in contemporary business and finance, and your organization should have a person or team tasked with making sense of all these overlapping requirements—and ensuring that every contract, deliverable, and transaction meets the appropriate standard.
- Perform annual privacy and security training for all employees.
Data privacy isn’t only a matter of meeting regulations. You’ll have an easier time getting the buy-in for a full-scale business certification if you create a culture of security in your company. Convey the importance of data privacy by holding annual or semi-annual trainings for employees and contractors so that everyone is on the same page in terms of protecting privileged information that passes through your business.
- Create and adhere to a document retention policy.
A document retention policy (DRP) creates a framework for handling sensitive materials for their entire lifespan—from creation to destruction. It ensures accountability and dependable record-keeping, and establishes a record of your company’s compliance with regulations of all kinds. DPRs are a staple of law firms but any business would benefit from the orderliness they bring.
- Develop an incident response plan in case of a data breach.
Despite the growing global attention to data privacy, breaches are a fact of business. From the largest multinationals to smaller companies, data breaches are on the rise. Protection is just one part of a privacy plan—risk mitigation includes having a plan, and the partnerships, in place to respond if and when a breach occurs.
- Implement a mobile device policy to secure and limit use of confidential data.
Smartphones and tablets can be walking security hazards, especially with the preponderance of telework. Write a policy for your employees to ensure that your private and client information is only accessed on trusted networks, through VPNs, and with maximal privacy protection in place.
- Invest in independent certification through Privacy Shield
Privacy Shield is federal framework for U.S. and European that certifies businesses’ compliance with GDPR. A place on the Privacy Shield list of approved companies is proof of your company’s trustworthiness and adherence to the highest security standards. But you can start jump-start that process on your own by tasking your data-compliance team with implementing a Privacy Shield self-certification. One component of that is identifying your organization independent recourse mechanism, the process by which European individuals may address compliance issues or data breaches and have them fixed free of charge.
- Implement a Supplier Security & Privacy Assurance program
The International Association of Privacy Professionals says that “third-party failure plays a part in 63 percent of all data breaches.” If your company shares personal data with a subcontractor or vendor—and you almost certainly do—you should proactively assess those third parties’ data security, privacy policies and controls for GDPR compliance. Organizations can do this by implementing a Supplier Security and Privacy Assurance program, which ensures their suppliers are following standardized data protection requirements. These compliance programs calculate the risk of a data breach and recommend fixes and approaches based on that calculation.
Even with a full Privacy Shield certification, many European companies are looking to go beyond the minimum. Here’s where third-party certification can be an asset, or even a requirement. That’s an important step, but don’t overlook the many precautions and preparations you can take on your own.
To learn more about GDPR compliance and its impact on data security and privacy practices, or the overall contract compliance audit process, contact us to speak directly with a team member from SC&H Group’s Contract Compliance Audit Services practice.