With the directive coming into force on 25 May next year, organizations need to prepare now if they are not to be in breach of the regulations.

In just nine months, a two-tier sanctions regime will be enforced with breaches of the law leading to hefty fines of up to €20 million (or 4% of global annual turnover) being levied by data watchdogs. But to focus on potential fines is to miss the point: what is more important is that implementation of the GDPR will give compliant businesses a real competitive advantage.

Research suggests up to 61% of businesses have yet to wake up to the reality that Brexit or not, GDPR requirements are not going to go away. The clock is ticking for organizations to act on what Information Commissioner Elizabeth Denham describes as "the biggest change in data protection law for a generation."

She says, "If your organization can't demonstrate that good data protection is a cornerstone of your business policy and practices, you're leaving your organization open to enforcement action that can damage both public reputation and bank balance. But there's a carrot here as well as a stick: get data protection right, and you can see a real business benefit."

The Information Commissioner's Office (ICO) is the UK's independent body set up to uphold information rights. Its work is to ensure data protection law is respected and while they will impose fines to achieve that goal, it is not their purpose. The big question is how your organization would measure up if the ICO was to conduct an audit or advisory visit.

Related: What does the GDPR mean for your business?

What is the ICO looking to see when they visit?

  • Senior management has taken ownership of Data Protection
  • There is a GDPR program in place that has the necessary resources and involves all relevant stakeholders
  • A Data Protection Officer (DPO) has been appointed in those cases where it is mandatory and that this individual has access to senior management and can work without pressure being brought to bear
  • A Privacy Impact Assessment has been conducted
  • Areas of compliance have been documented
  • Areas that require further work have been identified and there is a plan in place to tackle them
  • There should be a plan to deal with a data breach when (not 'if') it occurs that includes:
    • A procedure to notify the ICO within 72 hours of identifying the breach
    • A process to decide whether data subjects must be notified and a mechanism to do so
    • Senior management being prepared to deal with the crisis that would arise

Everything you wanted to know about GDPR but were afraid to ask

If you'd like to be prepared for GDPR, you can find out everything you need to know at a Sungard AS GDPR masterclass. GDPR masterclasses are delivered by experienced practitioners who offer unique insights based on real-world experience across a range of industries. All our speakers have been selected because they challenge conventional thinking and cut through the waffle to give practical insights that can deliver a real business advantage.

During the one-day workshop, periods of round-table learning are reinforced by short, sharp, practical exercises designed to reinforce the learning experience through memorable, relevant and up-to-date examples. Topics covered include:

  • The foundations of modern privacy law and the essential elements of GDPR
  • What is a Privacy Impact Assessment?
  • Personal data and consent: the pathways to lawful business
  • The rights of the data subject
  • Monitoring and profiling: the impact on businesses, IT and social media
  • Data Controller and Data Processor: their relationship and obligations
  • Exemptions and opt-outs
  • The Data Protection Officer: responsibilities, authority and accountability
  • International transfers, adequacy regimes, contractual mechanisms and Brexit
  • Key business issues: outsourcing, the Internet of Things, Big Data and the Regulator
Following the GDPR masterclass you will have:
  • Increased awareness of GDPR requirements
  • Improved confidence in your own abilities to judge the relevance of the legislation to specific business processes
  • Greater understanding of appropriate behaviors on a Privacy by Default and a Privacy by Design organization
  • Improved teamworking at strategic, tactical and operational levels as you gear up for GDPR
  • A practical understanding of the requirements, role and responsibilities of a Data Protection Officer

Sungard Availability Services can support you on your GDPR journey. Our consultants can help you establish a GDPR compliance program, develop the business case and draw up a plan of action to gain competitive advantage by achieving cyber resiliency and regulatory compliance. To arrange a GDPR masterclass for your C-suite, please contact us, or learn more about IT Consulting from Sungard AS.