Organisations are less than five months away from being subject to the new General Data Protection Regulation (GDPR), making it critical that firms have begun to plan for the reporting and systemic changes required to comply.
GDPR is particularly high profile due to the significant fines that can be attached to violations. A type I violation (involving breach of duty of care for your customers' information and minor transgressions of the regulation) can carry fines of up to €10 million or 2% of your organisation's annual turnover. Type II violations (major data breaches and evidence of significant corporate negligence to implement the regulation's stipulated controls) carry maximum fines of €20 million or 4% of your organisation's annual turnover.
These fines are designed to ensure that any customer, client, or personnel data your organisation holds is adequately protected, properly categorised to ensure it can be appropriately updated or removed at the individual's request, and provides customers with the opportunity to opt-in to giving your organisation their privileged information (previously, companies have been allowed to offer explicit opt-out).
There are various methods firms can implement to ensure compliance with the requirements of the regulation. Technology solutions have proven popular as a method of mapping out what data your organisation holds and assessing the data's sensitivity.
Companies in this space have developed solutions that can be used to assist with internal efforts to ensure that data is appropriately mapped and has the correct metadata (the information that accompanies any piece of data that describes its contents). To streamline the Subject Access Request provision of GDPR, other providers have rolled out online dashboards to allow customers to view the information that your organisation retains on them.
Technology solutions can come at high cost, and their implementation is not always straightforward, however. They often require significant IT and engineering effort to ensure that they are used to their full capacity, and without a data mapping exercise it's difficult to guarantee that all your data will be properly captured by the tool, leaving the solution incomplete and your organisation potentially exposed.
Cyber readiness assessment
An option which can enable your organisation to triage its needs and provide a more complete representation of the data your organisation holds is to perform a cyber readiness assessment. These assessments evaluate your organisation's process and technology based on the existing controls and provide recommendations to correct any compliance issues. A typical assessment may cover the following topics:
- Data collection, portability, and transfers;
- Consent declarations;
- Privacy program management and transparency declarations;
- Data Protection Officer readiness;
- Data security and data breach readiness and response;
- Privacy training awareness programs.
Like an audit, these assessments provide a compliance gap analysis, but tend to be a lighter-weight approach than a full audit, meaning faster results and more time to implement recommendations. It can also be run regularly as regulatory changes are implemented.
Regardless of the approach your organisation selects, being able to consistently attest to the successful operation of your data privacy controls is key to reassuring your customers and clients that their information is being appropriately safeguarded, and to guaranteeing to your corporate stakeholders that the company and its profitability are protected - and perhaps most importantly, avoiding significant reputational and financial risks.
James Weare is vice president, Information Security, Legal Management Consulting, at Duff & Phelps