The General Data Protection Regulation (GDPR) was approved by the European Union (EU) Parliament and will be effective 25 May 2018, at which time those organizations in non-compliance will face heavy fines.
What is the GDPR and why is it important?
GDPR is designed to harmonize data privacy laws across Europe, protect and empower all EU citizens data privacy, and reshape the way organizations approach data privacy. The key articles of the GDPR and its business impact can be found throughout the GDRP website.
Will the GDPR affect me?
Yes, if two conditions are met:
you have a presence in the EU, operate in the EU, or use/process the data of EU customers, and
you employ more than 250 people.
What do I have to do?
GDPR demands that businesses provide a “reasonable” level of protection for Europeans’ data, but what “reasonable” means is left open to question.
That said, you should understand some of the basics:
Roles and responsibilities
GDPR is big on identifying responsible parties, so you should work out who is who, even if they are the same person:
The Data Controller: The natural or legal person, public authority, agency or any other body responsible for the architecture and operations of the business who decides what data is used in an organization, how it is processed and who does the processing, even if it is an outside body.
The Data Processor: The natural or legal person, public authority, agency or any other body who actually processes data on a day-to-day basis. This includes outside bodies (for whose activities you may still be liable).
The Data Protection Officer (DPO): Required for any significant holder or processor of personal data, a new role designed to make compliance proactive and a strategic contributor to the business.
Audit your data
You should also examine what data; names, addresses, health data, social security numbers, and even information on ethnic background, for example, will demand GDPR-compliant treatment.
When you know what you need to achieve, you can start to plan effectively and realistically:
Recruit/hire your DPO if you’re going to need one.
Put together a team that includes a board-level sponsor and an IT and legal expert. Involve a representative of every team involved in processing data. If you have a Chief Data Officer and/or Chief Information Officer, get them (both) involved.
Conduct a gap analysis which will identify what you need to achieve to maintain compliance and where the gaps are.
Test the priorities! test what will be regulated, in particular:
Documentation: Make sure you can document your data lifecycle
Impact assessments: GDPR also requires you to mitigate the effect of data breaches by understanding what their effect (both on customers and your business) might be, with Data Privacy Impact Assessments (DPIAs).
First response: Data breaches are going to happen, and the regulators know it. What matters is how well you respond; and the GDPR demands that breaches are reported within 72 hours.
To learn more about GDPR, the demands it will place on your business, and how best to cope with them, take a look at the OpenSesame courses from Me Learning. They have been designed to take the pressure out of your GDPR preparations and minimise the load on your staff.