Many companies most of us know, mistakenly assume GDPR is purely a legal issue. The reality is far from the truth. In fact, this flawed assumption is because of a limited or no understanding of what data is to the business, and what it is not.
Incidentally, no single department in an organisation can address GDPR on its own, single-handedly. In fact, it requires an enterprise level view to address compliance, effectively, efficiently and more importantly, dare I say – ‘profitably’. For starters, ‘absolute compliance’ may not be possible for many organisations by May 25 2018. However, every CIO must at the least get control on their outcomes, related to GDPR.
Over the past few years, most CIOs started to recognise the importance of data management and data protection. But, GDPR started to add a sense of unprecedented urgency to those efforts. Many CIOs are probably even losing sleep on this.
The European Union’s (EU’s) General Data Protection Regulation (GDPR) will affect virtually any company in any sector around the world that processes the personal data of EU residents. Although, this may tend to put undue pressure on IT executives in order to ensure that their organisations are prepared, CIO’s must educate the enterprise that data matters are indeed a business strategy issue and not just an IT only issue. CIOs must build their case to communicate this to their business colleagues as well as their boards.
The GDPR replaces the EU’s Data Protection Directive 95/46/EC and is meant to harmonize data privacy and data protection requirements across Europe. One of the key difference between the new regulation and its predecessor, however, is that it holds accountable all companies that process personal data associated with EU residents, regardless of whether those companies have a physical presence in the EU or not. The potential penalties for noncompliance, meanwhile, are not trivial, reaching as high as 4 percent of global revenue or 20 million euros, whichever is greater. So, that’s what it is going to cost you if your C-Suite get things wrong.
Here’s a bare minimum, five things every CIO must do in ensuring that his or her organisation, is ready for GDPR compliance, even if you believe you are running late.
- Understand that data is a trail of your business processes. And this data must be managed with increased record-keeping. This is not new to most companies; however, the most undisciplined companies are obviously going to be penalised for this negligence and will have to get their house in order. Thankfully, most IT departments are capable enough.
- Get good at performing data protection impact assessments (DPIAs). Ensure that DPIAs are an integral part of your existing business and technology processes. The GDPR requires organisations to conduct data protection impact assessments for any new processing or changes to processing deemed to represent a high risk to the privacy and protection of EU resident personal data. This calls for a high level of transparency of both the process as well as data landscape.
- Incorporate Privacy by design into your culture and DNA. The GDPR requires privacy and data protection controls to be incorporated by design into any new or existing systems or processes that involve EU resident personal data. Ensure that communications and training programs address this as a part of your culture initiatives.
- Know and treat data sensitively while considering data portability and erasure. Under the GDPR, organisations must provide EU residents with the ability to access, correct, and erase their data, as well as allow them to move it to another service provider if they so choose.
Step up to a culture of managing data risk in your business. Get control over third-party risk management. Remember, that person-centric data is most valuable to your business anyway. It is the billion dollar byte. GDPR is now an opportunity to get your act together, even when third parties are managing your data.