Businesses are now slightly less than a year away from 25 May 2018, when the European Union General Data Protection Regulation (GDPR) transition period ends and enforcement begins — a deadline continually reiterated in a growing number of industry talks, seminars and articles.
This should be motivating organisations to begin mapping out plans for compliance and taking the necessary steps to protect user data via better cybersecurity controls and systems. Among other things, these steps include automating IT security monitoring, testing and measuring.
Despite (or perhaps because of) the sheer volume of information, advice and discussions around EU GDPR, many organisations are finding themselves in a state of organisational and operational paralysis – precisely at the time when plans should be well underway. And if your company is expecting an extension of the GDPR transition period, you will be in for a rude and costly surprise.
All indicators show enforcement will begin immediately on 25 May 2018, as agreed by the EU’s member states. However, it is not too late to put the wheels in motion to ensure your organisation is poised for success. Here are 10 key considerations to help move you from paralysis to effectively implementing an EU GDPR strategy for compliance.
1. Stop hesitating and start planning…today
To build trust among consumers that their personal information is secure, the EU GDPR dramatically increases the consequences of a data breach with fines of up to €20 million or 4 percent of turnover. Complying with the regulation is more than an IT challenge. It is a significant organisational issue that requires senior management to actively participate in, if not drive, the process.
Building the framework for effective implementation begins by bringing together key stakeholders from across the organisation – not just from IT, security or compliance departments. All stakeholders must be made to understand the risks of not getting it right and start by getting buy-in from all in developing an actionable plan that has a target “go” date well ahead of 25 May 2018.
2. Appoint a qualified data protection officer
Ultimately, one person needs to be accountable for ensuring compliance. In fact, you may be mandated to appoint a data protection officer, depending on the processing you perform ( EU GDPR Article 37 ). While there are no strict guidelines in place, DPOs must have “expert knowledge of data protection law and practices.”
Ensure you adequately explore the DPO requirements to see if appointing someone internally makes sense, or if you need to recruit to fill the DPO position externally. There are copious resources available from organisations such as the International Association of Privacy Professionals (IAPP) that provide valuable information on finding a DPO.
3. Start building your record of compliance
Businesses are obligated to implement technical and organisational measures to show they have integrated data protection into the core of all data processing activities. This includes network security, reliability and data security regimes, as well as breach notification procedures.
It’s common sense to begin compliance measures long before May 2018 rolls around. Third-party experts such as the SANS Institute recommend you meet the compliance requirements as soon as possible and immediately begin building an ongoing record to make sure you don’t get caught out.
4. Document your efforts
As mentioned, track and keep records of the steps you’ve taken along the way to becoming compliant.
