EU member states are entering the final countdown to the EU General Data Protection Regulations (GDPR), which apply from 25th May 2018 and bring with them a huge change in data protection law.
All organisations should already be familiar with the main provisions of the GDPR (Full details are provided in The EU General Data Protection Regulations: What risk managers need to know, Airmic 2017). However, many are now asking themselves how the GDPR applies to them and what they need to do in practical terms to ensure compliance in time.
The GDPR seek to balance the privacy rights of individuals with the capacity of businesses to use data for their own purposes in the internet era. It can be tempting to leave compliance to the IT team. However, GDPR concerns far more than information security and is a business-wide issue which requires a complete change in business culture. Whether or not an organisation appoints a data protection officer, risk managers will remain key to ensuring that the risk of non-compliance is properly understood across the organisation.
“These sweeping regulations can be overwhelming. We are breaking them up, compartmentalising and taking bite-sized actions. Otherwise it’s far too easy to fall down the GDPR rabbit hole!”
Scott Wilson, Chief information security officer, Ventiv Technology
Complying with GDPR is not a one-off project. An integrated, thorough and transformational programme is required that addresses how an organisation’s personnel, processes and systems handle personal data. Taking a step-by -step approach can make this challenge more manageable.
- Organisations must have a comprehensive GDPR implementation programme which is mandated by the Board and effectively implemented at management level
- Individuals within organisations must fully understand and perform their data protection obligations and responsibilities
- Organisations must be able to produce clear evidence to demonstrate with that they comply with the GDPR
- This paper provides a practical step-by-step framework for organisations when navigating the major risks posed by the GDPR.
A reminder: Major provisions
- Mandatory reporting of data breaches within 72 hours
- Hefty fines, of up to 4% of annual global turnover or €20 million
- Appointment of a data protection officer (DPO), for prescribed organisations
- Expanded scope, applying to data controllers and now data processors
- Expanded definition of personal data, including online identifiers
- Expanded reach, applying to organisations within or targeting the EU
- New rights for data subjects, including the right to be forgotten and the right to data portability
- Easier access by individuals to their own data, including a right to more extensive information