Thousands of multinational companies (MNCs) are faced with meeting new data privacy requirements, such as the impending implementation of General Data Protection Regulation (GDPR) in EU. In the U.S. alone, 92% of MNCs cited compliance with the looming GDPR as a top data protection priority – according to new research from PwC. Of these companies, 68% are allocating between $1 million and $10 million on GDPR readiness and compliance efforts, with 9% expecting to spend over $10 million.
On the other hand, MNCs operating in the U.S. have long been challenged meeting a wide array of privacy rules. In contrast to the “omnibus” approach of the EU toward privacy protection, the U.S. has adopted a sectoral approach to privacy regulation. This means that privacy rules vary per industry, and highly specific legislation is in place to protect particular aspects of privacy law. Such privacy regulations include the Health Insurance Portability Act, and Sarbanes-Oxley Act (SOX).
Implication of Privacy Rules for Data Archiving and Information Governance
The importance of GDPR and SOX to the data archiving and information governance market is that it makes it clear that compliance is more than ticking a box. The data security aspects of these regulations emphasize the importance of data privacy as a critical element to consider when selecting one archiving platform over another – ensuring that the chosen solution is built to meet an increasingly complex set of global data protection requirements.
We detail below the key actionable steps multinational organizations can implement to remain compliant with global data protection requirements:
1. Understand the Nuances of Applicable Privacy Laws
Whether it is the GDPR or SOX requirements, MNCs must have an intuitive understanding of privacy laws that are presently in place in jurisdictions in which they operate. For instance, under the GDPR, an employer (the local subsidiary or branch office) is prohibited from processing employees’ data unless the employer has a permissible purpose for doing so as defined by the GDPR. As such, MNCs must have a valid purpose for data processing first before they can legally process their employee’s data.
In the U.S, the federal Occupational Safety and Health Act (OSHA) obliges employers to maintain employee medical records including, for instance, medical questionnaires, results of examinations, and records of employee complaints regarding safety issues. Employers, therefore, must notify their employees at the time of hiring and annually after that of their right to access these records and the steps that must be taken to avail themselves of this right.
Having a thorough understanding of these privacy rules forms the bedrock of a company’s approach to privacy; without it, the company is missing critical elements of the picture that could have serious consequences.
2. Supervise Employee Access to Personal Data
For MNCs to comply with GDPR’s Right to Know requirement, they need to limit which employee has access to personal data. After identifying authorized personnel, they must be given the adequate training, and there should be proper procedures in place for the appropriate handling of personal data.
It would also be wise to segregate access to personal data so that only employees in designated roles or locations can access data from customers who are based in EU. For instance, a legal team that needs access to an archived SMS message from an EU-based client for eDiscovery purposes should only be granted access if they have been trained to process data that is compliant to GDPR guidelines.
3. Evaluate Existing Data Handling Capabilities
For multinational companies to comply with a request by an individual, their data archiving platform must have the capabilities that will enable them to search, filter, and retrieve data quickly. Depending on the applicable regulation, companies may or may not charge a fee for providing such information to the owner.
Given the impending implementation of GDPR, organizations should begin assessing the capabilities of their existing archive solutions to search, filter, and retrieve data to meet this Right to Access requirement or evaluate alternative systems before time runs out.
4. Audit Existing Service Provider
The Article 25 of GDPR also requires companies to implement technical and organizational measures to demonstrate how data protection has been integrated into their processing activities.
One way that organizations can determine this is to verify that their service providers who handle or process personal data can provide assurances that data is secured, and data governance can be proven. This could be achieved by examining the integrity of the archiving platform and the service provider to ensure that their solution complies with globally-recognized standards.
TeleMessage is a global leader in enterprise mobile messaging solutions, offering robust and holistic mobile archiving platforms. Our Mobile Archiver is equipped with features that enable organizations to comply with GDPR archiving requirements such as automatic deletion of records in case a customer decides to opt-out, data extraction and tagging, end-user notification in case of breach, and advanced data security options for maximum protection of customer data.
Contact us today to learn how TeleMessage platforms can help you achieve compliance with recordkeeping and privacy laws.
