The GDPR and Your Organization: What You Need to Know

The General Data Protection Regulation (GDPR) officially goes into effect in May and will have an international reach, affecting any organization that handles the personal data of European Union (EU) residents, regardless of where it is processed. The GDPR adds another layer of complexity, not to mention potential cost and associated resources, to the issue of critical information asset management that so many organizations are struggling to come to terms with.

At the Information Security Forum (ISF), we consider this to be the biggest shake-up of global privacy law in decades as it redefines the scope of EU data protection legislation, forcing organizations worldwide to comply with its requirements. This most certainly includes US-based organizations. The GDPR aims to establish the same data protection levels for all EU residents and will have a solid focus on how organizations handle personal data. Businesses face several challenges in preparing for the reform, including an absence of awareness among major inner stakeholders. The benefits of the GDPR will create several compliance requirements, from which few organizations will completely escape.

However, organizations will benefit from the uniformity introduced by the reform and will evade having to circumnavigate the current array of often-contradictory national data protection laws. There will also be worldwide benefits as countries in other regions are dedicating more attention to the defense of mission-critical assets. The GDPR has the potential to serve as a healthy, scalable and exportable regime that could become an international benchmark.

Understanding the Consequences of Non-Compliance

Most countries have established supervisory authorities to oversee the use of personal data. These supervisory authorities are government-appointed bodies that have powers to inspect, enforce and penalize the processing of personal data. In the US, a number of authorities enforce data protection requirements under the sectoral approach, most notably the Federal Trade Commission (FTC), which has substantial regulatory powers.

Supervisory authorities are granted investigatory powers by the GDPR, allowing them to investigate any complaint that they receive through a variety of measures such as audits, and reviews of certifications and codes of conduct. Complaints may be received not only from the data subjects themselves but also from any organization or association that chooses to complain or has been chosen by a data subject to represent their interests. These complaints can be submitted to any supervisory authority, not just the supervisory authority with territorial responsibility.

If an organization is found to be infringing the requirements of the GDPR, supervisory authorities have a variety of corrective powers from which to choose. These include the ability to issue warnings and reprimands to controllers or processors; but also include far more substantial powers, which can compel an organization to process data in certain manners, or cease processing altogether, as well as force an organization to communicate data breaches to the affected data subjects.

Preparation Begins Now

No organization that operates on a global footprint of suppliers can afford not to prepare for changes that will result from new GDPR compliance rules. Falling out of compliance with data regulation can really hit you in the pocket. The checklist of rules requires extreme preparation and responsibility all of which must shouldered by the organizations who cannot look solely government or regulators for help.

The GDPR is putting data protection practices at the forefront of business agendas worldwide. For most organizations, the next year will be a critical time for their data protection regimes as they determine the applicability of the GDPR and the controls and capabilities they will need to manage their compliance and risk obligations. Because of the effort required to report data breaches, it is essential that organizations prepare in advance.

Executive management will be responsible for ensuring that an organization meets its legal obligations to implement the GDPR’s requirements. A Data Protection Officer (DPO) should be designated to act as a focal point for ongoing data protection activities. An organization’s governance functions, including information security, legal, records management and audit should ensure they are familiar with the requirements of the GDPR and have the necessary people, processes and technical solutions in place to achieve compliance.

With reform on the horizon, organizations planning, or already doing business in Europe, should get an immediate handle on what data they are collecting on European individuals, where it is coming from, what it is being used for, where and how is it being stored, who is responsible for it and who has access to it.

In theory, an organization should have completed its GDPR preparations before May in order to gain assurance from, and provide assurance to, third parties’ requests. This will require resources with the expertise and time to issue and process those requests. Data protection, legal and information security teams should plan for this task so that they are not overwhelmed with requests closer to the enforcement deadline.


Add Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Alan Armstrong Williams
10 Things You Didn’t Know about Williams Companies CEO Alan Armstrong
How Women Can Level-Up Their Political Savvy at Work
How, Where, and Why is AV Being used in the Public Sector?
Gonzaga Campus
The 20 Most Notable Gonzaga Alumni in Business
Cyber World
How to Keep Your Money Safe in the Cyber World
Credit cards in wallet in back pocket
7 Elements of a Good Credit Application
budgeting in the office
Three Ways Budgeting Our Money Actually Makes Us Richer
thermometer
10 Pharmaceutical Stocks to Consider in 2019
Software Engineer
How to Become a Software Engineer and the Salary You Can Expect
Uptime
Prioritizing Security to Future-Proof Enterprise Collaboration
Does Artificial Intelligence Have Ethics?
Cloud Attack
Top 8 Cyber Security Trends in 2019 You Should Look out For
Luxury Carbondale: Spend a Weekend at the Marble Distillery & The Distillery Inn
Lincoln Memorial
20 Awesome Free Things to do in Washington DC
Philly skyline
20 Awesome Free Things to Do in Philadelphia
20 Awesome Free Things to Do in Miami
The 20 Best Mercedes SUV Models of All Time
2018 Volvo XC60
10 The Best Volvo SUVs of All-Time
The 20 Most Expensive Rolls Royce Models Ever Sold
The BMW 3.0 CSL Hommage Concept
The 20 Most Expensive BMWs Ever Built
The 20 Best Tudor Watches of All-Time
Timex MK1 Steel Watch With White Dial
The 10 Best Timex Watches of 2019
Fossil Sport
The 10 Best Fossil Watches of 2019
Hamilton Watches feature
The 10 Best Hamilton Watches of 2019