450 DAYS UNTIL THE NEW DATA PROTECTION REGULATION (GDPR) BECOMES LAW – READY?

It can hardly have escaped anyone’s notice that the new General Data Protection Regulation, or GDPR, will enter into force next year. But with just 450 days to go, companies’ knowledge of GDPR is still shockingly poor.

GDPR enters into force on 25 May, 2018, and applies to all companies operating in the EU or handling the personal data of EU citizens. Despite this, several surveys reveal that companies have very limited knowledge of the legislation. In a survey by Dimension Research, pretty much all the companies that were approached (97 percent) had no finished plan in place for GDPR compliance. This is despite 90 percent of the companies admitting that their existing procedures and control systems were inadequate.

GDPR includes a vast number of new requirements that need to be considered. Meanwhile the introduction of painful financial sanctions for those that breach the law, means the work of implementing GDPR should be at the top of everyone’s agenda. And that’s just not the case at the moment.

Several experts believe implementing GDPR will involve more work than the effort that was required to manage the millennium bug. And you have to remember that we had several years to plan and prepare for the millennium bug. A lot more time than 450 days...

The route to compliance

So what do we need to do to ensure we’re complying with GDPR when it eventually becomes law? Here are a few essential tips to help you achieve compliance:

  • Knowledge and training are key factors for a successful GDPR project. Management and other stakeholders must understand the implications of GDPR, what needs to be done, and why.
  • Conduct a review to gain a preliminary understanding of the scope involved, both territorially and in terms of data flows. This will help ensure that all personal data is managed and gives you a chance to examine opportunities to perhaps reduce the scope of the GDPR project.
  • Carry out an analysis to find answers to the following questions:

- What personal data is collected and managed?
- How is that data collected? How is it used? How is it sent and stored?
- How, and using what method, can the data be shared?
- How well are you protecting the registered person’s rights?
- On what legal basis are you managing personal data in your organization?
- What security measures and protective mechanisms are in place to address identified risks?

  • Analyse critical data flows to help you identify where personal data is stored. A data flow diagram makes it easier to see where security measures need to be implemented to reduce the risk of a personal data incident.
  •  Based on the diagram, analyse the legal requirements that need to be satisfied depending on the kind of personal data identified. Then transform the legal requirements into security requirements.
  • Using the identified requirements, do a gap analysis to see which ones have already been dealt with and which still need to be addressed. Implement the relevant requirements so that when this is done, you will be complying with the requirements defined in GDPR.
  • Everyone who handles personal data needs to understand the content of GDPR. Make sure everyone receives the necessary training to carry out their duties properly and effectively.

How far has your company come in terms of implementing GDPR? What do you regard as being the main challenges?