Five steps to GDPR compliance
For any organisations processing personal data the General Data Protection Regulation (GDPR) is important news. Agreed upon just days ago, after years of negotiations, the GDPR is the biggest legal change of the digital age.
This European Union law has global scope, covering any organisation that provides goods or services to the EU or gathers information concerning EU citizens, and covers a wide range of issues relating to personal data, such as privacy, monitoring and security. It compels businesses to provide data in a form suitable for use by a competing service provider, disclose personal data breaches within 72 hours and encrypt the data they hold.
The legislation is welcome news for consumers who will get more say over how their data is handled, more rights to be forgotten and increased visibility of data breaches. But CIOs shouldn’t underestimate the speed at which they need to work to address the extensive implications the GDPR will have.
Businesses have two years to make sure they are technically and organisationally ready for the legislation coming into force. That might sound like more than enough time to prepare, but getting your house in order is not an overnight task. The far-reaching nature of the GDPR means every aspect of a business will feel its impact and, in places, entire processes will need to be replaced or set up from scratch.
The cost of not complying is huge. Organisations could face fines of up to 4 per cent of global turnover for the previous year – a devastating amount for any business.
Many organisations are just beginning to get to grips with personal data capture and use, and the sophisticated level of monitoring and policing that the new legislation mandates will really stretch their competencies. Businesses starting from a very low baseline of compliance will need at least this amount of time to implement wide-ranging changes to how they process, secure, protect and report on the data they hold.
Act now
1. Understand how GDPR affects you: Businesses are going to be impacted by this ruling in different ways so carry out a full assessment of which changes apply to you and the areas which present the greatest risk.
2. Escalate to the top of the business: It’s crucial that the board understands the enormity of these potential changes, the resource needed to transform the way the organisation handles personal data, and the risks of not complying.
3. Assume full responsibility: The law will hold organisations fully responsible for meeting the new data requirements, so make sure you review existing systems, procedures and contracts with cloud vendors to avoid hefty fines.
4. Appoint a project owner: Depending on the level of change required in your business, consider appointing a project owner, a Chief Data Officer or an external partner to oversee GDPR-readiness.
5. Welcome GDPR as an opportunity: Personal data is increasingly at the heart of a modern organisation’s operations, and this is an excellent time to make sure the level of protection in place is fit for the new digital era. Staying within the law is one thing, but meeting changing customer expectations is equally important.
We have been given two years to get this right as there is a realistic understanding of the impact this regulation will have on organisations, but those that leave it late will find themselves in hot water with no excuses.
Data processes should be at the top of the CIO’s agenda right now, rather than just before the regulations come into force.