CEO’s guide to ensure compliance with GDPR

Overview of the GDPR The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located. In May 2018, a European privacy law is due to take effect…

Irfan

April 24, 2017

2 minutes

Breach Notification, CEO, cloud, Cybersecurity Framework, Data Breach, Data Protection Directive, Digital, EU, Euro, European Union, Fines, GDPR, General Data Protection Regulation, Infringements, News, NIST, Personal Health Information, Personal Identifiable Information, PHI, PII, Privacy, Security Strategy

Overview of the GDPR

The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located.

In May 2018, a European privacy law is due to take effect that will require big changes, and potentially significant investments, by organizations all over the world. The GDPR contains many requirements about how you collect, store and use personal information. This means not only how you identify and secure the personal data in your systems, but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.

For organizations – in terms of the key changes with GDPR that are super imposed over the EU Data Protection Directives are depicted below

Implications to business

Organizations need to begin by reviewing existing privacy and data management practices. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm. The supervisory authority can fine upto 20,000,000 euro (or) 4% of total annual global turnover – whichever is greater for the most serious infringements. Failing to notify a breach when required to do so can result in a significant fine up to 10 million euro or 2% of global turnover.

According to Trend Micro’s UK study¹regarding GDPR

50% of the UK IT decision makers are unaware of the impeding legislation
25% adamant that compliance is not achievable

¹Source: http://www.trendmicro.co.uk/newsroom/pr/poor-knowledge-of-eu-data-protection-regulation-puts-businesses-at-risk-of-fines/

CEO’s guidance to ensure GDPR readiness

Chief business executives now need to react immediately and simply follow the below steps (as depicted in the diagram). The important first step is to figure-out the types of personal data [such as PII (Personal Identifiable Information), PHI (Personal Health Information), etc.] that the organization collects, process and store – most importantly where it resides.

The CEO can propose the governing team to define information security & privacy management mechanism within their existing frameworks such as ISO/IEC 27001:2013 Security Standard, NIST Cybersecurity framework, etc. He need to know the risks based on the outcome of the security controls that are in-place with various security vendor technologies in the process of identification, prevention, detection, isolation and remediation process of the data breaches associated with customer’s personal data.

Another key-aspect that CEO shouldn’t have to miss is on the ‘Mandatory breach notification’ in establishing the process mechanism in-place that takes care of this element. Security is continuous process and this has to get reviewed periodically across business functions.

Most CEO’s would seek help from security consulting organizations towards this journey and to help their teams in safeguarding the customer data and business imperatives.

3 responses to “CEO’s guide to ensure compliance with GDPR”

CISO should redefine corporate security strategy – future of cybersecurity

June 28, 2020 at 12:58 pm

[…] CEO’s guide to ensure compliance with GDPR […]

LikeLike

Reply
Dominique Volon

May 20, 2017 at 5:09 pm

The issue is not that a lot of GDPR requirements are not new (95/46 Directive) but the status of compliance to these requirements can be very low, due to the fact of the Member State Data Protection Autorithies mandate and capabilities (budget left by the State and legal prosecution capabilities) to perform on-site audits is highly sized or not.
Making an organisation GDPR compliant can be a dauting task because it includes reviewing all the Business process and Information architectures (applications+data), often laied aside AND information/ data handling in the several exchange contexts. It’s not a project for modification, it’s at least a programme which includes all functions, not only legal, security but also architecture and service management where new design models must be defined taking into account a real “information/data asset classification” . Global entire horizontal as well as helicopter views are needed as an output from a Company Sponsoring Group.
Let’s be honest and courageous to say that barely 10% will reach satisfactorily a GDPR compliancy (that is : not paying an major infringment fee) in 2018. It will be a journey of several years, 2 to 5, according the maturity of the privacy and security handling but also of the Information Systems interfacing and exchange that create and manage personal data at rest or in transit and that should be modified to prove that personal rights can be exercised (consent, right to modification, right to be forgotten) in real.

LikeLiked by 1 person

Reply
Will van Zyl

April 27, 2017 at 10:09 pm

The preamble to this article is well stated, except for the fact that a lot of the requirements are not new, a lot are extended from existing and mandatory as opposed implicit.
The approach here is overly simplified as well. CEO’s may walk away with an underestimation of the task at hand and no view of how to focus on the most material areas that will contribute significantly to operation VaR.

LikeLiked by 1 person

Reply