GDPR, a challenge at the heart of digital transformation
The General Data Protection Regulation (GDPR) adopted on April 27th 2016 by the European Parliament aims at updating, strengthening and harmonizing the personal data protection framework. Starting May 25th 2018, all companies - with over 250 employees handling personal data (physical, cultural, social…) of European citizens, whether they are customers, suppliers or employees - will have to adopt it.
GDPR introduces new regulations concerning personal data management and protection and it strengthens consumers’ rights. Furthermore it requires communicating any personal data breach to authorities as soon as possible and by default less than 72 hours. Hence it enables citizens to seek reparations for the damages due to the lack of appropriate measures (encryption, anonymization…). The non-compliance penalties can reach 4% of the company’s global annual turnover or 20 million euros. In case of failure, the total invoice could be very costly. All companies are concerned, regardless of their nationality, location, or whether they are owners, users or simply host the personal data in question.
GDPR also requires the appointment of a Data Protection Officer(DPO), who will be the correspondent of supervisory authorities in charge of implementing the required processes. Indeed the company will have to collect the “positive and explicit” consent of the person, erase (right to be forgotten, right to portability) or restore his/her data to his/her request, and estimate the impact of any activity or new project in order to implement protective measures from the design stage (privacy by design).
GDPR: a program, not a project
GDPR forms a significant transformation for companies: it requires a strong dynamic approach in addition to the implementation of organizational processes and security controls.
In a constantly evolving environment, where data plays a central role, this major challenge lies at the heart of organizations’ digital transformation. Complying with GDPR is more than a project; it is part of a global, structured and long-term approach. An approach that should be integrated in a continuous improvement cycle to deal with the wide-ranging impacts of GDPR.
Organizations should consider 6 key activities when building their GDPR compliance program:
- You cannot protect what you cannot see: Gaining a clear visibility of where their sensitive data is, and how it is being used and shared both inside and outside your company is the first step to a comprehensive GDPR program.
- Break the silos: GDPR compliance is a concern for all stakeholders in any organization. Data Protection Officers, Security Officers, Business owners, HR, ... everyone should work together and hand in hand in order to make sure all business processes are updated accordingly.
- Think about the Extended Enterprise: GDPR compliance should be extended to your partners & suppliers. Make sure your Data protection impact assessments takes into consideration the risks that the extended enterprise brings as more players could jeopardize personal data privacy and security.
- Adopt purpose driven data collection: with GDPR, data collection should be limited to the necessary and specific usage, a usage that must be detailed and justified.
- Adopt auditable and controlled data processing: Organizations will need to demonstrate the effectiveness of the security controls implemented to guarantee data privacy, access control and data security.
- Update your Risk assessment regularly as the threat landscape is fast evolving and the technical environment of the organization is changing as well which could introduce new threats & vulnerabilities.
The real challenge is not about being in conformity with GDPR on May 25th 2018 but to remain compliant afterwards.
Let’s continue the conversation here if you are interested to learn more on how to assess your current GDPR readiness and identify the organizational & technical changes necessary to implement a GDPR compliant data management lifecycle.