The General Data Protection Regulation (GDPR) is coming. The new regulation – enforced by the European Union – will strengthen and unify data protection across the continent. The main goal of the regulation is to protect data owners, but it will also serve to improve overall corporate data security.
Do you want more detail on the GDPR? Here is all you need to know in a nutshell and the full legal texts organized in neat PDFs. Don’t forget, the GDPR will come into effect on May 25th, 2018, or in approximately:
 

The indisputable impact of GDPR

The harmonization of data regulation laws in 28 countries at once – not an easy task, but one with huge upside: clarity. The downside, however, is equally impactful: harsh financial penalties for organizations that are incompliant.

Fines can rise to $21 million, or 4 percent of your annual worldwide turnover – whichever is greater. According to a Veritas survey of more than 2,500 senior technology decision makers, almost 40% of businesses are fearful of a major compliance failing. And rightly so. (Tesco Bank fell victim to a data security breach in 2016. Had the GDPR been in force then, it would have been fined $2.3 billion.)

Which type of GDPR coach are you?

Who bears responsibility for GDPR compliance in your organization? Almost one-third of respondents believe the CIO is responsible. According to the Centre for Information Policy Leadership’s readiness report, everyone is. And so are you.
Google ‘GDPR’ and you will quickly find a torrent of information. As a result, it can be hard to know where to place your trust. That’s why we’re here. We’ve sifted through 4 sets of preparatory drills – one for each type of GDPR manager. Which type are you?

Drill #1: Lexology’s team-first approach

Ideal for charismatic motivators who want to form a widely supported consensus.

Lexology’s article, written by British firm DLA Piper LLP, claims that the core element of GDPR protection is teamwork. You should gather a team of experts within the organization that is part of an integrated approach. Before forming such a GDPR-team, however, you need to ensure that senior management buys in completely. Once the team is in place, they will need to work together to identify specific privacy risks and determine how these can be mitigated or avoided.

Drill #2: IBM’s 5 long-term pillars

Ideal for long-term strategists who are looking to use the GDPR to strengthen their organization from within.

IBM developed a five-step approach to identify the aforementioned privacy risks: the 5 Phases to Readiness. Each of the five phases is associated with a specific part of your organization that needs attention:

  • Governance
    Determine how you can translate GDPR into actions, norms and values.
  • People & communication
    Train your employees on GDPR requirements.
  • Processes
    Find out how GDPR will influence processes and how you can manage the required changes.
  • Data
    Govern your data and prepare to interact with individuals and third parties.
  • Security
    Protect the fundamental privacy rights.
     

Drill #3: Dark Reading’s 6 directive authorities

Ideal for action-oriented coaches who want to have their game-plan ready and approved by experts.

“The most trusted online community for security professionals like you,” that is how Dark Reading presents itself. Jai Vijayan, one of their top contributors, tackled the GDPR guidelines with an equal amount of bravado and expertise. Each of his 6 key points is backed up by expert advice:

  • Develop and articulate a clear privacy policy
    “Companies should be practicing transparency around why they want to collect data and ensure that all data is used within the boundaries of consent.” – Dana Simberkoff
  • Start implementing privacy by design
    "Software and development practices that don't follow privacy by design principles put organizations at major risk in light of GDPR.” – Dan Blum
  • Enable an opt-in requirement for data sharing
    “Privacy policies must be clear and concise, and companies must provide consumers with an opt-in to have their data shared with third parties.” – Dana Simberkoff
  • Prepare for new data breach reporting requirements
    “At 72 hours, the timeline to report a breach is the tightest that we’ve seen with any regulatory measure.” – Eldon Sprickerhoff
  • Implement controls for tracking and managing data
    “IT managers need to be asking themselves: can we track a customer’s personal data as it travels through our systems? Can we erase it if they request us to do so?” – Eve Maler
  • Be ready for data protection impact assessments
    “The GDPR requires companies to do DPIAs to identify “high risks” to consumer data privacy.” – Dana Simberkoff

Drill #4: ico’s exhaustive 12 step program

Ideal for perfectionist administrators who want to be prepared for each and every situation.

The British Information Commissioner’s Office, or ico, published a guide called Preparing for the General Data Protection Regulation – 12 steps to take now (PDF l 492 KB). The guide recognizes the similarities with the current Data Protection Act, but also takes into account the increased emphasis on documentation. A summary of their comprehensive twelve-step program:

  1. Awareness
    Make sure decision makers in your company are aware.
  2. Information you hold
    Document which information you hold, and who can access it.
  3. Communicating privacy information
    Make the necessary changes to your current privacy notices.
  4. Individuals’ rights
    Check whether your deletion and delivery procedures are up to modern standards.
  5. Subject access requests
    Organize procedures to comply with new timescales.
  6. Legal basis for processing data
    Analyze the types of data processing you carry out and document its legal basis.
  7. Consent
    Review how you seek and record consent.
  8. Children
    Put systems in place to verify age and gather parental consent.
  9. Data breaches
    Make sure you have the right procedures in place to detect, report and investigate.
  10. Data Protection by Design
    Familiarize yourself with DPIAs and implement improvements.
  11. Data Protection Officers
    Designate a dedicated DPO or someone to take responsibility for GDRP compliance.
  12. International
    Determine which supervisory your international branches come under.

GDPR as a springboard

Whether you are a motivator, strategist, action-taker or administrator – the implications of the GDPR can appear overwhelming. The regulation in general, however, should have a positive impact on your organization.

"GDPR  represents an opportunity to consider data privacy compliance more strategically and holistically, as it becomes key to their data strategy and the digital transformation of their business.” – Bojana Bellamy, president of the CIPL.

 

 

Stay Up-to-date

For regular updates and articles from COMPAREX, click below to follow us:

 Follow us on LinkedIn

Evade ransomware with the GDPR as your skipper

Recent ransomware attacks have shown the power of hackers. Find out how the GDPR warns & protects your business like a good team captain. Read the full article ...

Share this article