The European Union General Data Protection Regulation (GDPR) has been years in the making.
The version agreed upon in December of 2015 began with a proposal from the European Commission in January of 2012 — but prior to that, years of work, discussions, papers and directives paved the way. While organizations will have about two years to come into compliance, they should begin rethinking their privacy, security and information governance strategy immediately.
Beyond those based in the EU, companies with a significant European presence will also be subject to GDPR requirements. This means that any company may be subject to the regulation even if they are not established in the EU. This is a significant change to the current law, which only maintains jurisdiction over companies with an established business in a particular state. The law is likely to require:
- Significantly greater fines for data breaches — potentially up to four percent of an organization’s annual global revenue
- Privacy Impact Assessments (PIAs)
- Privacy and Security by Design
- Inventories and data mapping of personal information across business systems
- Mandatory appointments of data protection officers
- Evidence that organizations are complying
The new EU Data Protection Regulation creates many obligations — both from new and older concepts — which require the CPO, CISO, IT and CIO to interact even closer than before.
The new IT obligations have the potential to cause the greatest impact for companies around the world, because they may require a fundamental shift in operational processes for IT and business process optimization, as well as program management. Here are a few of the mandates that will carry a significant budgetary and operational impact, especially on the IT department:
1. Think Privacy and Security by Design
Anyone who has been a part of designing a home or building anything understands that it is always better to set plans from the beginning of a project. Creating standardized processes in collaboration with IT and the business gives you a repeatable framework for future projects. It eliminates the need to review and sign off on similar projects, over and over.
This frees you up to provide advice, guidance and review at every step of the process. Consider using automation so colleagues can request a privacy impact assessment (PIA) of the systems they're planning to build and deploy — providing them with a reasonable estimate and timeline.
2. Privacy Impact Assessments
PIAs are a systematic process to assess privacy risks to individuals involved in the collection, use and disclosure of their personal data. Many organizations already conduct PIAs as part of a statutory or regulatory obligation, and the GDPR further highlights the importance of the process.
PIAs provide a good foundation to assess the potential and ongoing risk of systems as well as the data that flows within them. This allows privacy and data security teams to recommend and monitor appropriate controls.
3. Risk-Based Approaches
The GDPR requires companies to manage their privacy and data protection programs with a risk-based approach.
While this sounds like a bit of legalese, it’s relatively simple to find meaningful ways to operationalize this requirement.
Start by understanding what kinds of data your business handles as well as how colleagues are using internal systems in their day-to-day work — this takes a bit of time. The time invested in understanding user requirements will pay off, as the organization will be able to craft solutions that meet business needs properly.
4. Demonstrate Accountability
The GDPR requires that organizations not only create policies that meet its mandate, but that they operationalize those policies and be able to prove that they’ve done so.
For many years I've advocated a best practice approach that requires measurement, reporting and monitoring. Policies should be living, breathing documents that reflect and direct the flow of your business. The new regulation will mandate an overarching system across all information gateways so organizations can report what they are going to do to achieve compliance, do it and then prove they did it — internally, for auditors and regulators, or as part of data protection best practices.
For those of you who read the first few sentences of this article and thought you could put off planning for another year or so, know this: The obligations under this law may take months — if not years — for most companies to implement.
Don’t wait for a breach to happen to you — the fines under this law could mean the end of an organization. Don’t allow your company to serve as an example of what not to do. Seize this opportunity to work proactively and swiftly towards compliancy.
Editor's Note: Dana Simberkoff will be moderating a panel about this topic on March 1 at the RSA Conference in San Francisco.