Compliance with the General Data Protection Regulation (GDPR) begins on the 25th May 2018, giving us almost six months to finalise GDPR preparations. Doing nothing is not an option.
The exact number of days left can be found HERE . The site provides an overview of what GDPR means for people, roles, responsibilities and IT systems, plus a free white paper on Office 365 GDPR compliance aids.
Please refer to, and use, relevant aspects of both links even if you do nothing else. For more context, read on.
True readiness covers understanding, preparing for and testing out the basic concepts, the legal requirements and the contents of the GDPR preparedness plan.
Things that demonstrate basic understanding are:
- Realising that UK-based businesses must comply regardless of BREXIT as the GDPR comes into force prior to the UK leaving the EU.
- Even if the firm is not based in the UK, all businesses processing EU nationals’ data will have to comply.
- Each EU nation will enact their own versions of GDPR, so be aware of and prepare for complying with national variations.
Whilst two of several sources, they are a good place to start understanding the demands and complexities of 28 nations domestically enacting one regulation.
Another law firm, Norton Rose Fullbright, has a checklist that translates the legal aspects into business language, offering a different perspective to ISACA’s guidance. Download the PDF HERE. Understanding both will aid organisations’ ability to apply GDPR successfully.
In summary, the key aspects are:
- Territorial scope: non-EU firms processing EU citizens’ data (data subjects) must comply with the GDPR and must appoint one or more EU representatives to act on their behalf.
- Supervisory authority: one will exist in each EU country to oversee compliance. The UK has the Information Commissioner’s Office https://ico.org.uk/ (ICO) and their guidance on GDPR is publicly available HERE.
- Data governance and accountability: this will require board understanding and support to ensure:
- privacy impact analyses and privacy by design, including explicit consent from everyone whose data is being held, are carried out.
- mandatory roles and responsibilities are fulfilled, including reporting where significant risk might be and demonstrating compliance,
- corporate capability through training and enhanced processes that support GDPR and supervisory authority requirements.
- Export of personal data: firms must map data flows within and external to the group, checking these are appropriate for GDPR purposes.
- Joint controllers: if more than one organisation decides how the personal data will be handled, all will be considered joint controllers of the data.
- Processors: the GDPR sets out stringent obligations which, if breached, may lead to financial penalties.
- Lawful grounds to process and consent: the firm must show explicit consent to process data and ability to act when consent is withdrawn.
- Fair processing information/notices: demonstrating to data subjects why, and how long for, their personal data is needed.
- Data subject rights: the firm’s ability to provide the personal data held and/or erase it when requested.
- Big Data, research and wholly autonomous decision making: ensure that the GDPR is not breached when using secondary data.
- Personal data breach: understanding the scope of, and being able to comply with the new timeframes for, notifying breaches.
Assuming a December publication, there is almost six months to complete preparations. To ensure the programme remains on track, use COBIT® 5 to assess both the process and the output. See HERE
If your organisation has not begun preparations, here is an outline GDPR programme plan to help you get started.
GDPR breaches are expensive. Keep compliant.