Published on December 14, 2017
By Steve Youngman, VP Finance and Legal
When the European Union’s General Data Protection Regulation (GDPR) goes into effect May 25, 2018, will you be ready? In the past few posts, we’ve detailed the requirements of the GDPR, how they apply to businesses, and what we’re doing here at Hush to ensure our compliance.
As a brief recap of our first post in this series, the GDPR defines personal data and sets forth guidelines for how it can be used. The three primary concepts of these guidelines are: required consent for use of personal data; full transparency in case of a data breach; and the right to access, correct, port and erase one’s own personal data from any database.
The regulations are intended to protect all EU citizens. That means if you collect any data on any EU citizen you are subject to the GDPR. However, even if your business is not subject to the GDPR, the application of its privacy protection principles may improve privacy and data security for your business. The rules that will affect businesses can be found here.
In today’s post we’ll discuss the importance of conducting a data audit to prepare your business and ensure peace of mind should you be required to demonstrate compliance.
At Hush, we have been advocating for businesses to conduct risk assessments to protect themselves from possible security breaches. The concept of the data audit is similar. By creating a clear picture of exactly how your business handles personal data, you’ll be prepared to demonstrate GDPR compliance in case of an official audit. Again, the concept is simple: Know what type of data you’re collecting; know where it’s stored; know what it’s used for; and know who has access to it and that it is secure.
In case of a GDPR audit, a comprehensive data record that you’ve constructed through an internal data audit will demonstrate the efforts your business has made to become compliant.
Let’s look at the steps of a very basic data audit in a little more detail.
You will likely find that these steps show that your business is already close to being GDPR compliant in most areas and requires only simple clarifications and consents. However, you will also likely find some areas where your knowledge about your businesses data is insufficient. The GDPR provides a valuable opportunity to make the clarifications necessary to present a clear picture of exactly where your data is going.
Non-compliance can result in some hefty fines, so due diligence to meet these standards is advisable. Compliance will be demonstrated through internal record keeping requirements.
If all of this sounds complicated, you can relax a little. While it’s true that your business may need to take action to ensure compliance, the purpose of the GDPR is fairly straightforward — to keep track of data coming in and out of a business and to ensure that it is being used for the purposes the data owner has consented to.
The protection of your customers’ and clients’ data is also a protection for your company. In an era of increasing cyber attacks and data leaks, knowing exactly where your data is at all times and having processes in place to ensure it’s being used for the right reasons will give you the ability to thwart attacks, prevent leaks and respond quickly and efficiently in case there is a breach. This is all good for consumer confidence, your brand, and the future of your business.
Steve Youngman has been part of the Hushmail team since 2000. With degrees in Commerce and Law from the University of British Columbia, he is well suited to lead our finance, privacy, and legal departments. Steve has extensive experience providing business, tax, and legal advice to entrepreneurial clients.