Posts

Client Data: Do you have the right answers?

Do your clients ask about how your firm handles data and security? More than ever, firms are expected to explain how they protect their clients’ private data—properly and securely. The correct answers can have major implications with your clientele and compliance obligations.

What we’ll cover:

  • What are the top steps to keep you compliant?
  • What type of training does your firm need?
  • Should you be doing a security audit?
  • What about updating your firm’s policies?
  • Understanding the difficult technical questions

The top 4 things that take you out of compliance

As the leader of an evolving organization, you’re expected to keep employee and customer data as secure as possible. However, aging technology and processes sometimes result in disconnects and even mistakes that interfere with regulatory compliance requirements. For example, the financial industry is rife with examples of tax and recordkeeping violations, and the penalties can range from hundreds to thousands of dollars.

So, what are common mistakes that cause otherwise responsible organizations in various fields to fall out of compliance when they make the move to new solutions? The following are some examples that you should avoid to minimize your risk of missing compliance requirements.

1. Forgetting about GDPR

General Data Protection Regulations (GDPR) went into effect in May 2018, and while they primarily affect European companies, they also affect American companies that collect, maintain or process personal data for people living in the European Union. If your business has no dealings whatsoever with folks in the EU, that’s one thing, but in today’s global economy, it’s best to be ready if you decide to expand at some point in the future.

Regardless, these regulations are a good standard to strive for. They require that businesses be aware of the types of data they collect, keep on top of security breaches and follow a clear, transparent consent process, among other things. For example, as an article in CSO explains, “Opting for a mailing list does not give the small-business owner the ability to use a customer’s data for something else unless this is outlined. Individuals should also know how to withdraw from your database at any time.”

Regardless, these regulations are a good standard to strive for. They require that businesses be aware of the types of data they collect, stay ahead of security breaches and follow a clear, transparent consent process, among other things. For example, as an article in CSO explains, “Opting in for a mailing list does not give the small-business owner the ability to use a customer’s data for something else unless this is outlined. Individuals should also know how to withdraw from your database at any time.”

It’s a good idea to keep GDPR in mind as you move to the cloud.

2. Not checking out third parties thoroughly

It’s likely that your business is partnering with at least one vendor to implement and improve cloud solutions. Perhaps a managed services provider is handling this for you, or maybe your business uses an offsite data center. In both cases, it’s still your responsibility to ensure that vendors and other subcontractors follow these guidelines to protect data and maintain the same level of security.

3. Allowing BYOD without a tight policy

Bring your own device (BYOD) policies are popular in many businesses, but they can backfire if the policies don’t follow a strict set of security protocols. For example, it’s necessary to have data encryption and strong password requirements to address any security issues with apps or software. Make sure you have an adequate BYOD policy in place when moving to the cloud or allowing employees to use their own cell phones, tablets and computers.

4. Collecting unnecessary information

Many customers don’t think twice about turning over personal data such as Social Security numbers, even for something as simple as a fishing license. However, as a general rule, if certain pieces of customer data aren’t needed, don’t collect them. If you do have a good reason for collecting the data that you do, explain your rationale to customers and share how you’ll use their data.

Aside from not having a disaster recovery plan or not providing adequate training for your employees, you should be able to meet compliance requirements if you avoid the four mistakes discussed here.

If you need help navigating the ever-changing landscape, you can always contact us. After all, shoring up your environment to meet compliance is vital to your success. Being aware of the security benefits that cloud computing offers will inform the steps you take to keep your company’s data as secure as possible.

GDPR: How Does This New Regulation Affect U.S. Firms?

Remember getting a bunch of emails in May from websites changing their privacy policies? You can thank the GDPR. Enacted by the European Commission, the GDPR (General Data Protection Regulation) is a law in the European Union that seeks to give individuals more control over how organizations store and use their personal data.

The GDPR has much more significant implications for your U.S. business than a few annoying emails, however. Unfortunately, 84% of U.S. companies confess that they don’t understand what the GDPR means for their business.

In this article, we’ll discuss the impact that the GDPR is having on companies in the United States. We’ll also cover what steps you should take to address that impact.

GDPR: What It Does and Who It Affects

The goal of the GDPR is to strengthen the protections that EU citizens and residents have over their personal data. This includes any information that organizations can use to identify a unique person. We’re talking about names, physical addresses, email addresses, ID numbers, and even online identifiers such as IP addresses and cookies.

In particular, organizations must be able to justify why they are storing personal data, and delete the data when it no longer has a justifiable business purpose. Organizations must also be transparent about how they use this information in response to an inquiry.

The guiding philosophy of the GDPR is that people, not companies, have ultimate ownership and control of how their personal information is used.

One of the biggest stipulations of the GDPR—and one that far too many U.S. companies are unaware of—is the fact that it doesn’t just affect businesses in the EU. Every organization that stores the personal information of EU citizens and residents must comply with the terms of the GDPR. Or, they could face the potential penalties: fines up to 4% of annual revenue or 20 million euros, whichever is higher.

Related: 5 simple ways to achieve IT device security

Companies that refuse to comply with the GDPR will be effectively shut out of the EU market, with an estimated population of 508 million people. This makes the GDPR’s impact effectively worldwide.

Because the EU is so large, it’s a near-certainty that any company over a certain size will do business with an EU national. That’s especially true for those that operate online.

GDPR: How It Affects Your Business

The GDPR has come into effect in May 2018. Therefore, your company should already be in compliance—or at least taking steps to do so. The sooner you prove that your business is GDPR-ready, the less likely you are to face penalties and fines.

Many websites have chosen to display a notification the first time that a EU user visits the site. This window either informs visitors how their data will be used, or asks them for their explicit consent to use their data in a certain manner (such as for marketing purposes).

Once the company collects this information, they must store it securely to minimize the risk of a data breach. In the event that a cyberattack does occur, you must notify an EU regulator within 72 hours of discovering the breach.

The GDPR has undoubtedly had an impact on the operations of U.S. companies with a strong web presence. Organizations that understand the GDPR requirements and take action will be able to thrive in this new regulatory environment.

Understanding GDPR with EaseTech

Have more questions? No problem.

Talk to an expert in online data privacy and security to see how you can make your business compliant with GDPR today.