A new set of European rules and standards related to privacy and data protection (the General Data Protection Regulation, or GDPR) has set in motion a mad compliance and security scramble not only for European companies, but also for any company doing business in Europe or with European customers.
The regulation is designed to harmonize privacy across the EU, codify more rigorous privacy rights, strike a balance between privacy and security, and create an explicit obligation for both data controllers and processors to demonstrate compliance with GDPR. The clock is ticking – the regulation goes into effect on May 25th, 2018, and the potential penalties for non-compliance are significant (organizations found to be in breach of GDPR may be fined up to 4% of annual revenues or 20 million Euro, whichever is the greater).
This is not just a problem for European-based companies. If your organization does business in the EU, offers goods and services to EU citizens, or processes EU citizen data, then all the provisions of GDPR apply.
Social media and enterprise collaboration platforms like Workplace by Facebook and Microsoft Yammer create unique compliance challenges under GDPR. Although social media has experienced exponential growth, it is still very much in its early stages from a legal and regulatory perspective. This is continuously challenging organizations on the daily as they struggle to nail down their compliance with record-keeping regulations like the GDPR.
Here are four key challenges to consider in developing your compliance strategy:
1. Data Protection and Privacy
Organizations should evaluate how they collect social media data and address their intentions publicly prior to collecting such data. This can be done on corporate websites and social media in clear policy statements.
2. Employee Rights on Social Media
Policies to help guide the use of social media in the workplace are commonly in place, but the issue is that these policies must not conflict with other privacy laws. These policies must be revisited, taking GDPR into consideration.
3. Governance and oversight
Firms are increasingly allowing employees to use social media for business purposes, but both GDPR regulators and regulations, such as FINRA and the SEC in the financial services industry, now demand that organizations develop strong internal procedures and controls to ensure they manage associated risks effectively.
4. Information archiving and retention
Determining what content is considered “business” communication and when that content should be captured and archived is more complicated than it seems. Implementing a system that effectively captures social media history and saves them as official, valid archive is a key step towards GDPR compliance as well as compliance with other regulations across industries.