It is by attaching rights to an individual’s data separately to the right attached to an individual, that the EU can demand EU-grade data protection standards on businesses in other countries. The onus is on businesses to determine if they are in scope. Consider three simple questions:
- Is your organization based in the EU?
- Does your organization handle data concerning EU-based individuals?
- Does your organization do any kind of business with organizations to which 1 or 2 apply?
If you answered yes to any of the three questions, it is most likely that your organization is in scope of the GDPR. Unless you are confident your existing data handling procedures are already compliant with the regulation, this means action needs to be taken now to prepare for the May 2018 deadline.
There has been a lot of noise in the IT press about swingeing fines and GDPR is frequently portrayed as the new corporate bogeyman. It has to be said these fears are not without foundation: a two-tier sanctions regime will apply and breaches of the law could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs2.
However, scaremongering is not a constructive approach. The good news is that correct implementation of the GDPR will not only ensure compliance and mitigate the risk of fines but, more importantly, will give compliant businesses a competitive advantage. That’s why Sungard AS advocates that organizations consider GDPR a central plank of business strategy that has high visibility with the Board.
Our Resilience consultants have drawn up a 12-step plan to guide you through the process.
- Brief senior management
Ensure the board is aware of the changes to data protection law and how this affects the business. Consider booking a Sungard AS GDPR Awareness Master Class for your C-Suite personnel.
- Kick-off a GDPR programme
This should be led by C-level executives (or heads of department in smaller organizations) and include the CEO, CIO, CSO and CCO or whoever is responsible for Compliance. The importance of having IT and Legal people speaking the same language and briefing the Executive cannot be stressed enough.
- Consider whether your organization needs to appoint a DPO
The GDPR requires public authorities and other organizations whose core activities require regular and systematic monitoring of data subjects on a large scale, or that process a large scale of special categories of data to appoint a Data Protection Officer (DPO) who will guide the implementation of GDPR requirements and monitor compliance. The DPO should be the head of the data privacy governance structure, liaise with the supervisory authority (the Information Commissioner’s Office for US businesses) and report directly to leadership. The ideal candidate will be IT conversant, and have good business acumen whilst also being proficient on all GDPR matters. Recruiting a DPO may prove time-consuming, so we advise customers to make this a priority.
- Update data governance policies and procedures to ensure they reflect the GDPR requirements.
- Analyse the GDPR and understand the legal implications for your business
Identify the risks associated with your business model and address them by means of adequate data governance. Where appropriate, streamline processes. Pay attention to processes that use personal data for profiling. Marketing, HR and Sales will probably need to adjust their ways of working to ensure compliance.
- Review your Record Management Strategy
Identify where personal data is being collected or acquired, the purpose for which it is being processed, and whether this data is shared with any other organization. If this information is not currently available, a detailed investigation will be required so that all personal data and its flow within the organization is accurately mapped.
- Run an awareness campaign in your company
Unless your business is a one-man band, you need to ensure that all personnel are aware and engaged in the quest for GDPR compliance.
- Challenge the basis under which personal data is stored, collected and processed
Review the more prescriptive GDPR definition of consent and determine if a new request for consent is necessary.
- Implement any necessary technical adjustments to ensure GDPR data rights are fulfilled
These are the right to be informed, to rectification, to erasure, to restrict processing, to object and rights in relation to automated decision-making and profiling and the new right to data portability.
- Review the current mechanisms for international data transfers
Be aware that the adequacy of Privacy Shield (which replaced Safe Harbour) is currently a subject of concern.
- Examine your supply chain
Ensure your efforts to comply are not undermined by engaging in business with non-compliant providers or business partners.
- Embed privacy in your operation
This is the only sustainable way to ensure compliance on an ongoing basis. GDPR is here and will be for the foreseeable future, even after Brexit.
Sungard AS can support you on your GDPR journey
Our consultants can help you initiate a GDPR compliance programme, develop the business case and establish a plan of action to gain competitive advantage by achieving cyber resiliency and regulatory compliance. To find out more, please contact us.
1 Survey of 821 IT and business professionals responsible for data privacy across the US, Canada, Asia Pacific (Australia, Hong Kong, Singapore, India), UK, Germany, Sweden, Belgium, The Netherlands, France, Italy, Spain and Poland conducted by Dimensional Research on behalf of Dell
2 UK firms could face £122bn in data breach fines in 2018