GDPR is Officially the Law. Now What?

The moment has finally arrived. As of 12:00am on May 25, after two years of preparation and a massive last-minute barrage of privacy policy updates, the General Data Protection Regulation has the force of law across the European Union.

Whether they've stayed ahead of the compliance curve since the law was first announced, or have kept their heads in the sand and made no preparations at all, organizations around the world are all wondering the same thing:

What happens next?

How many EU citizens will try to invoke their right to be forgotten, and what arguments will companies use in order to hold on to those citizens' data? How will supervisory authorities in 28 different countries maintain consistency in how they enforce the law? What company will be the first to get hit with the GDPR’s maximum penalty?

The answers to these and many other questions about the GDPR may be slow to emerge. That doesn’t mean that organizations can afford to sit back and wait for additional guidance. After the initial race to check the box and demonstrate compliance with the letter of the law, companies should assess whether their data protection strategies are aligned with the GDPR’s underlying principles.

Close your security gaps

Leading up to the effective date, many organizations focused on requirements that called for visible action by May 25, like changing their opt-in procedures or designating their data protection officers. Now that the deadline has passed, it’s time to take another look at the considerations that will make or break GDPR compliance in the long term, like vulnerability to a data breach.

No one wants to make headlines as the recipient of a GDPR fine for failing to protect sensitive data. Even if the GDPR supervisory authorities don't go immediately to their biggest weapon—a fine equaling 4% of a company's annual revenue—any fines related to data breaches are likely to be significant, and will draw more media attention than usual as the world watches to see how the GDPR works in practice.

Consumer information and other forms of sensitive data need to be protected everywhere, all the time. If sensitive information is being stored or transmitted without encryption or another form of protection on your organization’s servers, laptops, or desktops, it’s only a matter of time before it falls into the wrong hands and brings you to the attention of the EU’s data protection enforcers.

Delete data you don't need

Many companies have already updated their data retention policies in order to meet GDPR mandates, but even those organizations are probably still holding on to data that they don’t really need.

As time passes and data volumes grow, files containing consumer information continually pile up on employee computers, cloud storage folders, and network file servers. Even when files have lost their importance to the company that owns them, they represent a potential treasure trove to identity thieves and other criminal elements who may eventually break in and find them.

An organization-wide effort to identify outdated and unnecessary information will not only reduce your exposure to data breaches, but can put a significant dent in your costs for storage hardware or cloud services.

Keep an eye on your data

Data-centric security starts with knowing where your data is. Most organizations have a decent grasp on what’s contained in their databases, a limited idea of what’s stored on their file servers, and essentially zero visibility into the data stored on laptops and desktops. That’s a serious concern, because the vast majority of data in a typical organization is stored outside its database servers.

Implementing an information security strategy that includes data discovery and data classification on file servers and employee devices can pay huge dividends. Once your organization really knows what data it has and where the data is located, it can ensure that consumer information remains protected from the constantly growing list of internal and external cyber threats.

The GDPR may not be a perfect solution, but it represents a step forward in the effort to keep sensitive data safe from those who would exploit it. Companies that make a strong commitment to the principle of “data protection by design and by default” will not only maintain a good GDPR report card, but will enjoy the long-term financial benefits that come from well-deserved consumer trust.

PKWARE’s Smartcrypt is the only data security platform that integrates data discovery, classification, and protection into a single workflow. With Smartcrypt, you can find, protect, and manage sensitive data across the entire organization from a single point of control.