CEO’s guide to ensure compliance with GDPR


Overview of the GDPR

The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located.

In May 2018, a European privacy law is due to take effect that will require big changes, and potentially significant investments, by organizations all over the world. The GDPR contains many requirements about how you collect, store and use personal information. This means not only how you identify and secure the personal data in your systems, but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.

For organizations – in terms of the key changes with GDPR that are super imposed over the EU Data Protection Directives are depicted below

image1

Implications to business

Organizations need to begin by reviewing existing privacy and data management practices. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm. The supervisory authority can fine upto 20,000,000 euro (or) 4% of total annual global turnover – whichever is greater for the most serious infringements. Failing to notify a breach when required to do so can result in a significant fine up to 10 million euro or 2% of global turnover.

According to Trend Micro’s UK study1regarding GDPR

  • 50% of the UK IT decision makers are unaware of the impeding legislation
  • 25% adamant that compliance is not achievable

1Source: http://www.trendmicro.co.uk/newsroom/pr/poor-knowledge-of-eu-data-protection-regulation-puts-businesses-at-risk-of-fines/

CEO’s guidance to ensure GDPR readiness

Chief business executives now need to react immediately and simply follow the below steps (as depicted in the diagram). The important first step is to figure-out the types of personal data [such as PII (Personal Identifiable Information), PHI (Personal Health Information), etc.] that the organization collects, process and store – most importantly where it resides.

image2

The CEO can propose the governing team to define information security & privacy management mechanism within their existing frameworks such as ISO/IEC 27001:2013 Security Standard, NIST Cybersecurity framework, etc. He need to know the risks based on the outcome of the security controls that are in-place with various security vendor technologies in the process of identification, prevention, detection, isolation and remediation process of the data breaches associated with customer’s personal data.

Another key-aspect that CEO shouldn’t have to miss is on the ‘Mandatory breach notification’ in establishing the process mechanism in-place that takes care of this element. Security is continuous process and this has to get reviewed periodically across business functions.

Most CEO’s would seek help from security consulting organizations towards this journey and to help their teams in safeguarding the customer data and business imperatives.

 

Advertisements

2 thoughts on “CEO’s guide to ensure compliance with GDPR

  1. The issue is not that a lot of GDPR requirements are not new (95/46 Directive) but the status of compliance to these requirements can be very low, due to the fact of the Member State Data Protection Autorithies mandate and capabilities (budget left by the State and legal prosecution capabilities) to perform on-site audits is highly sized or not.
    Making an organisation GDPR compliant can be a dauting task because it includes reviewing all the Business process and Information architectures (applications+data), often laied aside AND information/ data handling in the several exchange contexts. It’s not a project for modification, it’s at least a programme which includes all functions, not only legal, security but also architecture and service management where new design models must be defined taking into account a real “information/data asset classification” . Global entire horizontal as well as helicopter views are needed as an output from a Company Sponsoring Group.
    Let’s be honest and courageous to say that barely 10% will reach satisfactorily a GDPR compliancy (that is : not paying an major infringment fee) in 2018. It will be a journey of several years, 2 to 5, according the maturity of the privacy and security handling but also of the Information Systems interfacing and exchange that create and manage personal data at rest or in transit and that should be modified to prove that personal rights can be exercised (consent, right to modification, right to be forgotten) in real.

    Like

  2. The preamble to this article is well stated, except for the fact that a lot of the requirements are not new, a lot are extended from existing and mandatory as opposed implicit.
    The approach here is overly simplified as well. CEO’s may walk away with an underestimation of the task at hand and no view of how to focus on the most material areas that will contribute significantly to operation VaR.

    Like

Comments are closed.