Do you have a GDPR program in place? Since May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) has been in effect, providing enhanced protection for the personal data of European customers. The regulation affects all businesses that acquire, store, or process the personal data of EU citizens; GDPR impacts both businesses within and outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. To learn more about what it takes to be GDPR compliant, check out our webinar, here.
Which Companies Does GDPR Affect?
- Companies that have a presence in an EU country
- Companies that hold any personal information about EU citizens
- Companies with more than 250 employees
- Companies with fewer than 250 employees, but whose data processing/collection may impact freedoms and rights of data subjects, or includes certain types of sensitive personal data
Why Initiate a GDPR Program?
The cost of non-compliance could be high, with fines of up to €20 million, or 4% of a company’s global revenue. GDPR compliance requires a combination of well-defined and audit-proof policies, processes, and alignment amongst general counsel, compliance, internal audit, business units and IT organizations to effectively identify, secure, retain, and govern sensitive data of EU citizens. Learn more about the ins and outs of GDPR, here.
HOW CAN YOU ALIGN WITH GDPR?
- Conduct a thorough review of the Articles.
- Conduct an initial DPIA (Data Privacy Impact Assessment).
- Based on the initial DPIA, use the diagnostic to assess key program constructs that require attention.
- Define an implementation blueprint in terms of strategy, process, data, security, technology and people to address the Articles and DPIA findings.
- Identify opportunities for automation (key to enabling and accelerating consistent, repeatable processes, including future DPIAs).
- Create a business case/cost model for the entire program including support as requirements are released into production.
- Create a high-level program plan that includes key milestones for introducing capabilities in an iterative, incremental, systematic manner.
- Identify a DPO sponsor (possibly existing Chief Data Officer).
- Define the organizational structure, roles, responsibilities, and operating model required to support the program.
- Establish a formal training program to communicate the necessity of the program, accountabilities, work streams, milestones, and on-going change management.