New data regulations have been at the forefront of the tech conversation for years now. Most recently, GDPR and its UK equivalent, the DPA, have forced companies like yours to completely re-examine the way they collect and handle consumer data. In the US, the California Consumer Privacy Act adds similar protections for California citizens, and more states are expected to follow suit.
You’ve doubtless already had lawyers and tech experts take a look at your policy to make sure you’re not at risk of facing serious fines and penalties, but data compliance isn’t just about making sure you meet the minimum requirement to avoid legal consequences. Here are some proactive steps you can take to ensure that you and your staff remain compliant with any and all data regulations in the future.
Improve Your Company’s Approach To Data Compliance
Having your lawyers and tech professionals draw up a new policy for data regulation compliance is one thing — ensuring that it’s followed is another. Whether it’s for GDPR or another future regulatory change, it’s important to make sure that your staff gives compliance the attention it needs.
Ensure That Your Team Buys In
You can pay thousands for new software or consultants, but those investments are wasted if your employees don’t recognize the importance of compliance. Attempting to implement new policies or resolve security and compliance issues won’t get you anywhere if you neglect to train your staff.
Whether you use group training or one-on-one sessions, every employee needs to know the ripple effect that a single compliance failure could have on the entire company. Without widespread education and adoption of new policies, compliance efforts will fail.
Make Audit Preparation A Priority
New regulations open you up to a surprise visit from an auditor, which can have a major impact on your company’s long-term success. Even if everything is compliant, it can be time-consuming and distracting to try to pull together all the resources that the auditor needs access to.
Establish an audit preparation policy. Not only will you have everything in order in the event that an auditor does show up, but the act of preparing will help you avoid the very vulnerabilities and oversights that lead to breaches and compliance violations in the first place.
Know Where Your Data Lives
There are two components to this — your data and the data that third-party software generates. When it comes to your in-house data, it’s easy to sign up for a cloud storage solution and think your job is done, but cloud storage opens up other compliance questions. Data compliance laws are dependent on where data is hosted, how it travels between servers and across national borders, and who has access to it when it moves.
The simplest solution is to make sure that all your in-house data — your website, cookies, and any PII you have on your customers — is stored on a cloud service that’s GDPR-compliant. Amazon Web Services is already compliant, as are most other international-scale cloud services, so this shouldn’t be hard to do. You also have the option of storing your data locally, but that’s likely to be more expensive and require more attention than cloud storage — and you’ll still need GDPR procedures in place when dealing with EU data.
A frequent misunderstanding of GDPR is that all PII has to stay within the EU, but that’s not the case. Data can be moved across borders as long as the other hosting sites are up to GDPR standards as well. Since providers, data controllers, and users are equally responsible under GDPR for data security, the big, international data handlers like Microsoft, Google, and Amazon are already incentivized to keep all their data practices compliant with the strictest standards.
That’s where the second component is concerned. If you use services like Hubspot, Marketo, Salesforce, Google Apps, and so on, you have limited control of how they store and move their data — some of which applies directly to your customers. Any time you implement a new technology, whether for your own cloud storage or another SaaS, you should do a privacy impact assessment to make sure they’re handling your — and your clients’ — data safely.
What it comes down to is that you’ll need to do your homework. Before you implement a cloud storage solution, do your research into where their servers are, how they transmit data, and whether their data handling practices are compliant. If you use a non-compliant service and your customers’ PII is compromised, the penalty may be severe.
Be Ready For Data Subject Access Requests
One major component of GDPR is granting users increased access to their data — data subjects (your customers) have the right to see exactly what data you have on them and to “exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
You, the data controller, will need to respond to such requests within a month of receiving them, so you need to establish a process for handling subject access requests.
When a request is filed, you’ll need to provide the following to data subjects:
- Whether their personal information is being processed
- Why you’re processing it
- Which categories of data you’re processing
- Who else is getting a copy of that data
- How long you’re planning to store the data (or the criteria you use to decide how long to store it)
- The right to request that you, the data controller, correct or erase the data you have pertaining to that subject
- Any information about the source of the data, assuming you didn’t get it all from the user themselves
- The existence of any automated processing or profiling procedures you have in place for the data
You’ll also be expected to comply with these requests free of charge most of the time. There are provisions in place to charge a fee or take longer than three months if the data request is unduly complicated or repetitive, but you should plan on the typical one-month deadline. There are several resources available for developing your own procedure, or you can consult with your own attorneys to generate one.
Use Software To Help Prevent Human Error
Compliance laws are complicated, and it’s difficult for your IT staff or anyone else to know every nuance of them. Instead, consider using tools like AssetAware to help ensure compliance across your company. Using dedicated software to ramp up compliance efforts will streamline asset management, simplify audit preparation, and encourage a company culture of taking compliance seriously.
Protect Yourself From Information Breaches
Compliance in data collection is just one half of the equation — safely storing consumer data is another. GDPR and other regulations have imposed a much stricter burden on companies to manage their customers’ data and protect it from unauthorized access. Don’t think that you’re immune to hacking attempts, even if you’re a small business — a breach doesn’t have to be the size of Target or Marriott to be worth worrying about.
Limit Employee Access To Data
Most data breaches or lapses in compliance are caused by human error — either someone is unaware of proper procedure or they’re simply careless. You made an effort to ensure that your employees were trustworthy and well-trained when you brought them on, but you can take your security a step further.
Ask yourself who among your staff really needs access to personally identifiable information (PII), what procedures should be in place for them to get it, and who monitors that access. Employees should only have access to data that they absolutely need to do their jobs. The fewer employees who have access, the lower the risk of mistakes.
Scrub Files And Shred Documents
Deleting a file on a computer or hard drive, is no more secure than throwing an intact document in the trash — it doesn’t disappear, it’s just harder to come by. If you’re discarding customer PII that’s no longer needed, you have to do it thoroughly — overwrite trashed files and shred any paper documents. If you’re throwing away a hard drive or computer, physically destroy the hard drive so that its contents are unrecoverable.
Protect Your Hardware And Software
All your equipment should have password protection — no, the password can’t be “password,” and your office’s machines can’t all have the same password. Use a password manager like LastPass to manage your team’s password security — you can grant temporary or permanent access to sensitive logins, monitor the quality of your staff’s passwords, ensure that they’re using unique passwords for every login, and force them to change passwords regularly.
Password security goes for outside contractors and former employees as well. Don’t write passwords down on a piece of paper for IT contractors, and change them as soon as someone who doesn’t need access leaves your company. All the encryption in the world won’t help if someone still has an old login.
Stay On Your Toes
Compliance with data regulations across the world is a difficult game — GDPR was a substantial shift in the way a lot of companies did business, and many believe that similar regulation in the US is inevitable. You’ll need to keep abreast of new legislation as it comes, but with these tips, any changes should be easier to make.