Preparing for the EU General Data Protection Regulation
(GDPR)
By
John Kyriazoglou
Is your company
ready?
What steps should
you, as a manager, executive or board director take for your company by May,
2018?
My
new book ‘Data Protection and Privacy
Guide’ in five volumes (see links at the end), is designed to support you effectively
in all these issues.
I
am providing below a short summary of the GDPR and how it impacts your business
operations (including your IT systems) and a flavor of what is contained in
these volumes.
1. Introduction to the EU GDPR
On
April 2016, the EU General Data Protection Regulation (GDPR) was approved,
entering a two-year transition period (April 2016 to May 2018) during which
member states and enterprises (private companies and public organizations) handling
European residents’ personal data will need to adopt the new requirements. The
Regulation introduces tough penalties for non-compliance, with breached organizations
facing fines of up to 4% of annual global turnover or €20 million – whichever
is greater.
The
new law dramatically changes the way in which organizations approach personal data
protection (for customers, employees, etc.), particularly in terms of access
privileges. With financial penalties in place, which can be as much as 4 per
cent of a corporation’s annual turnover, enterprises simply cannot afford to
let personal data slip into the wrong hands through mismanagement or a
malicious breach. One way to ensure this doesn’t happen is for personal data to
be secured under lock and key with the help of identity governance, where entry
is monitored and controlled around the clock, etc.
2. Preparing for
the General Data Protection Regulation (GDPR)
What basic steps
to take by May, 2018:
Step 1: Awareness.
You
should make sure that decision makers and key people in your company or organization
are aware that the law is changing to the GDPR.
Step 2: Data
Protection Officers.
You should designate a Data Protection Officer, if required, or someone to take
responsibility for data protection compliance and assess where this role will
sit within your organization’s structure and governance arrangements.
Step 3: Personal
Data you hold.
You should document what personal data you hold, where it came from and who you
share it with. You may need to organize a personal data audit, etc.
Step 4: Individuals’
rights.
You should check your corporate procedures to ensure they cover all the rights
individuals have, including how you will handle requests within the new
timescales and provide any additional information, how you would delete
personal data or provide data electronically and in a commonly used format,
etc.
Step 5: Communicating
privacy information.
You should review your current privacy notices and put a plan in place for
making any necessary changes in time for GDPR implementation.
Step 6: Legal
basis for processing personal data. You should look at the various types
of data processing you carry out, identify your legal basis for carrying it out
and document it.
Step 7: Consent. You should
review how you are seeking, obtaining and recording consent and whether you
need to make any changes.
Step 8: Children. You should
start thinking now about putting systems in place to verify individuals’ ages
and to gather parental or guardian consent for the data processing activity.
Step 9: Data
breaches.
You should make sure you have the right procedures in place to detect, report
and investigate a personal data breach.
Step 10: Data
Protection Impact Assessments (DPIA). You should familiarize yourself now
with the guidance regarding when to carry out a DPIA. For example where a new
technology is being deployed or where a profiling operation is likely to
significantly affect individuals, etc.
Step 11: Data
Protection by Design and by Default. You should ensure that all your products
produced and sold and all services provided (including Information systems) by
your company implement privacy and data protection according to the principles
of the GDPR.
Step 12: International
Operations.
If your company operates internationally, you should determine which data
protection supervisory authority you come under.
3. Resources to support you in implementing the
EU GDPR
As
noted above, my new book ‘Data
Protection and Privacy Guide’ in five volumes (see links at the end), is
designed to support you in all these issues.
This
book, in 5 volumes, contains a complete set of methods, strategies, plans,
policies, audit tools and other practical techniques to guide, support and
facilitate you to effectively manage the personal data your company collects
and processes and comply better with all privacy regulations (e.g. EU GDPR).
1. Data Protection and Privacy Management System: Data
Protection and Privacy Guide – Vol I
2. DP&P Strategies, Policies and Plans: Data Protection and
Privacy Guide – Vol II
3. Data Protection Impact Assessment: Data Protection and
Privacy Guide – Vol III
4. Data Protection Specialized Controls: Data Protection and
Privacy Guide – Vol IV
5. Security and Data Privacy Audit Questionnaires: Data
Protection and Privacy Guide – Vol V
Thank
you,
John
Kyriazoglou
