Editor’s Note: The author is a managing director at HBR Consulting and focuses on IT services.
A surprising 80 percent of international IT professionals say they know little to nothing about the General Data Protection Regulation (GDPR), according to a Dell survey. And a staggering 97 percent said their organizations do not have a plan for complying with the new mandatory regulation.
The GDPR is replacing the EU Data Protection Directive 2016/679 to provide a unified regulation with consistent definitions, mandatory breach notification, defined roles and responsibilities, and financial repercussions for non-compliance. It aims to better protect the privacy and protection of all personal data collected for or about EU citizens. Under the law, organizations must notify individuals that they are collecting their data, obtain consent, alert them of a hack or breach, appoint a dedicated data protection officer (DPO), and comply with numerous other rules.
While this may be an EU regulation, it impacts anyone that handles data associated with EU companies, people or organizations. For global law firms, this means implementing enhanced measures to protect their most valuable “product”, privileged client information. The consequences of not understanding and adhering to the new regulation are steep — organizations can be fined up to €20 million or 4 percent of their revenue.
These fines are certainly significant but don’t take into account the additional cost of an actual data breach resulting from inadequately protected data. According to Ponemon research, in 2016, the average total cost of a data breach for an organization was $4 million. Additionally, the report found the cost for each lost or stolen record containing sensitive information ranges from $155 to $158.
3 Ways to Start Preparing for the GDPR
Because of the broad reach of the GDPR, global organizations are advised to understand their data, become knowledgeable about the new requirements, and collaborate with key stakeholders including legal, information security, compliance and privacy on a compliance plan before the May 2018 enforcement date. We suggest starting with the three steps below.
Collaborate with internal stakeholders. To create an effective company-wide plan for GDPR compliance, a cross-disciplinary team – including legal, information governance, IT, IT security, privacy, and appropriate business leaders – needs to be involved. For many law firms that means creating a team dedicated specifically to developing and implementing new policies and procedures to support compliance with the GDPR. This team should decide on an overall strategy, what new security measures need to be enacted, a timeline for implementation, and how employees will be trained on new processes.
Under the GDPR, the responsibility of security is expanding from solely the role of information technology to everyone within the organization. Successful cross-function collaboration not only ensures your compliance plan is comprehensive, but will contribute to company-wide buy-in.
Know your data. A foundational activity towards GDPR compliance is to understand your data.
This means gaining insight into the type and location of data, as well as how the data flows through the organization, where it originates from and where it is stored.
Understanding what data falls under the GDPR is important since the regulation has broadened the definition of “personal data” beyond names, addresses, social security numbers, phone numbers, etc. to include genetic, mental, cultural, economic and social information. Then, understanding current practices for governing and managing information should be examined. Have you already established sound practices for retention, disposition, preservation and protection of sensitive information? A formal information governance program is fundamental to GDPR compliance.
Understand the GDPR and create an overall GDPR strategy. Understanding your organization’s data and how it is currently managed is key to determining where your organization already complies with the requirements, and where there are gaps that require remediation. Some of the key components of the GDPR that you need to become knowledgeable about include:
- Updated and more stringent rules for obtaining consent to use personal information
- The appointment of a data protection officer (DPO) for certain organizations
- Mandatory privacy impact assessments
- Common data breach notification process
- Privacy by design
- The “right to be forgotten”
- Expanded liability for the management of personal data
Understanding these rules and assessing your current practices against the requirements will help your team develop a prioritized strategy to close any existing gaps in order to achieve compliance.
Ultimately, the new regulation is intended to keep organizations accountable for the large amounts of personal data they maintain. Establishing a GDPR compliance framework, and ensuring all employees are educated and trained on their roles and responsibilities is critical to successful compliance with the new requirements.
While the new GDPR framework does not go into effect until May 24, 2018, waiting until the last minute will result in unnecessary stress and risks, unprepared employees and a greater likelihood of compliance issues. The stakes are high, so make sure when the GDPR goes into effect, your organization is ready.