Industry View: How to Meet GDPR Compliance and Boost Internal Security
25th May 2018
Ahead of the GDPR deadline on Sunday, a personal view by Stuart Sharp, Global Director of Solution Engineering at OneLogin:
Companies are rushing to update their security protocols in line with the General Data Protection Regulations (GDPR) and change the way they handle customer data to protect the personal data and privacy of EU citizens for any transaction originating in EU member states. Businesses the world over are impacted, and one industry that will need to pay close attention to data security is manufacturing.
Why should manufacturers care?
While GDPR is specific to Europe, it also impacts companies with a presence in the EU and organisations that handle the personal data of European citizens. Failure to comply with regulations will be costly — GDPR allows fines up to 4 percent of a company’s global revenue or penalties up to 20 million euros — whichever is greater. GDPR will also require organisations to notify EU authorities within 72 hours of a breach and completely erase data when customers revoke their consent.
For manufacturers in particular, the new regulations will influence how they store, process and manage data for customers located in the EU. Any manufacturer that ships to an individual within the EU, employs European citizens or is involved in internet marketing will find themselves subject to GDPR compliance. Additionally, manufacturers handle sensitive data such as blueprints, NPI documents and merger and acquisition deals. This type of information alone makes manufacturing one of the most targeted industries by cyber criminals, and forces manufacturers to re-evaluate how they currently handle the personal data of their customers, employees and partners within the supply chain.
With GDPR due to come into effect on Friday, manufacturers have limited options. Manufacturers looking to stay in the EU will need to re-evaluate their cybersecurity strategies to remain compliant with stricter data regulations.
How manufacturers can meet GDPR compliance and bolster internal security measures
Today, the biggest challenge manufacturers face as they work towards GDPR compliance is consolidating and normalising the disparate data they receive from their various supply chain partners and customers. Before implementing any security protocols, manufacturers first need to understand what personal data they collect, where their data lives, how it is used for operations, and how it is protected.
In order to remain fully compliant with Europe’s data regulations and to avoid hefty fines, manufacturers can take the following steps to secure any personal information stored within their databases:
• Understand what is subject to GDPR: Europe’s new data regulations apply to all companies — small and large — that sell goods or services to European citizens. This means companies that collect personal data or behavioural information from someone within an EU country must comply with GDPR, no matter where the company is based. Information collected from EU citizens in an online marketing survey, for example, would be subject to international law regardless of whether or not the company has a presence in Europe.
• Complete a thorough data security audit: Businesses should thoroughly document all of their data in order to understand where it came from, why it’s processed, where it’s currently stored and who it’s shared with. For manufacturers, this means resolving the data chaos flow between various supply chain partners and organising the information collected from retailers, distributors and end customers. Using data flow maps can help manufacturers visualise and track sensitive information as well as identify where that data is processed and stored.
• Centralise all European data centres on a singular platform: To simplify data organisation, manufacturers should consider aggregating and normalising disparate information on a centralised platform. Third-party software providers can also help manufacturers remain compliant with international law by implementing features that controls where data is stored and how it is used. With a centralised security platform, manufacturers can reduce security and compliance risk by unifying disparate partners in upstream and downstream supply chains.
• Invest in a data protection officer (DPO): Depending on the circumstances, some manufacturers may be legally obligated to hire a DPO to oversee data security strategies and compliance with international law. DPOs are responsible for educating manufacturers on compliance, conducting routine data audits and maintaining comprehensive records of all information collected. Before hiring a security officer, however, manufacturers should look for candidates who can manage data protection and compliance internationally while serving as the point of contact between the manufacturer and supervisory authorities (SA).
GDPR forces companies to rethink their existing privacy policies and how they store, process and dispose of personal data. As the EU tightens protections for its citizens’ personal information, organisations all over the world will be forced to re-examine their data security strategies in order to meet the GDPR deadline. For manufacturers, this means getting an understanding of the data they process and how international law will impact day-to-day operations. Manufacturers need to take the necessary precautions to strengthen their cybersecurity protocols and information processes in order to avoid costly penalties.