Companies have had several years to prepare for GDPR yet many still are far from being fully compliant. With the launch deadline nearly upon us, Alan Earls reports on some final thoughts for corporate preparations.
Maybe it is just that people are reluctant to face up to bad news, like an ominous diagnosis from a physician. Or, perhaps it is the broad Atlantic Ocean, which seems like it ought to provide some insulation from the long arm of European law. Whatever the reason, most experts agree that companies on the North American side of the proverbial pond are too often behind times in preparing for the consequences of the European Union’s General Data Protection Rules (GDPR), which sets a very high bar for privacy and data management. This new regulation affects nearly every organization that does online business with citizens of the European Union, regardless of the citizens’ or the company’s geographic location. “If you process data of an EU citizen — even if your business is located outside of Europe or that individual is outside of Europe — you need to make sure you have systems in place to be GDPR compliant,” says Christopher Rence, chief information, security, and risk officer at Digital River, a Minnetonka, Minn.-based global ecommerce, payments and marketing services company.
As with other amorphous business challenges that don’t go directly to the bottom line, motivation and communication are important. Organizational campaigns and general awareness training programs are a great way to generate buzz on GDPR and to prime staff on its wide-ranging requirements, notes Kevin Kish, privacy technical lead at Schellman & Company, Inc., a security and privacy compliance assessor. Longer term, your organization’s first line of defense is the people who interact with customers. So, Kish says, it makes sense to build a tactical, role-based training plan with department privacy leads to address how specific business units should handle data in their possession.
Read More: www.scmagazine.com