The new EU legislation, General Data Protection Regulation (GDPR) is a comprehensive reform of data protection rules that will replace the Personal Data Act (PUL) in May 2018. All organizations that manage personal data are affected by GDPR. It entails new extensive data security and reporting requirements as well as increased financial penalties for non-compliance. Many organizations are unprepared for GDPR and not certain who to take the lead internally.
By acting early, adopting a structured and holistic approach covering both legal and IT aspects, you have the right foundations for successfully achieving GDPR compliance and will gain control of your Master Data as a result.
Get the facts right… and actionable
GDPR can appear complex and overwhelming at first sight. Our impression is that few companies fully grasp the implication of it and how it will impact their current processes and policies for data management, reporting and IT-governance. In fact, 66 % of Swedish organizations are unprepared and only 3 % have a formal plan for the required changes[i]. We also experience that many business leaders are frustrated and feel inhibited due to uncertainty about how and to what extent GDPR will impact their business.
And yes, GDPR consists of a comprehensive set of rules and requirements for managing and processing personal data. For instance, every organization will potentially have to have a Data Protection Officer, implement integrated data protection (“Privacy by Design”) and maintain internal records of their processing activities. If there is an incident or data breach you are obligated to notify the Data Inspection Board without delay within 72 hours. Furthermore, every time you are thinking of performing a new activity that poses material privacy risks, you must first do an impact assessment. If it indicates a high risk, a prior review by the Data Inspection board must be obtained. This calls for structured and efficient reporting processes. *
However, taking on GDPR doesn’t need to be that difficult. By using a holistic three-step approach that combines legal reviews of compliance to laws and regulations with IT-assessments, you will have the necessary actions to secure compliance.
GDPR affects all organizations that collect, store and process personal data in EU.
Breaching GDPR can result in prosecutions, enforcement notices and/or significant monetary penalties up to €20 million or 4 % on annual global turnover.
Step 1: Start by assessing legal compliance
Start off with a legal review of current level of compliance to the PUL/GDPR to identify gaps and necessary actions to achieve full compliance. Do you have sufficient policies to meet new standards for reporting, managing personal data and transparency? One crucial task is to perform a thorough review of underlying agreements for consent forms, another to assure the right agreements are in place between your company and your company’s partners. At this stage, we recommend you to get an outside opinion from an experienced legal partner who understand the connection between laws and regulations and IT.
Step 2: Identify necessary changes to IT
The second step is the vital IT assessment where you perform an overall mapping of relevant areas within IT regarding GDPR. Do your systems support formalities such as consent forms, secure data storage and logs for tracking personal data and processing? Do you have sufficient routines for incident management and reporting breaches to the market department and Data Inspection Board? By comparing your IT-governance with best practice and international standards, you will get a better understanding of required changes and can create an action plan for compliance.
Step 3: Establish a governance structure that achieve compliance over time
Finally, you have the right foundations for setting up a governance structure with principles, processes and systems that supports GDPR compliance. The result will include guidance for compliance to laws and regulations (document, policies, processes) aligned with integrated management system. Change management is key and you should start preparing your organization as early as possible.
GDPR is already a reality that requires and deserves the preparation needed to be compliant. It aims to modernize the current regulation in order to keep up with globalization and technological development (Big Data, IoT) and allow European citizens and businesses to fully benefit from the digital economy.
Businesses that fail to plan and budget for the adaption to GDPR early enough may be left with insufficient time and resources to achieve compliance. In order to prepare for the change as swiftly as possible, we recommend a three-step approach covering: a legal assessment of current compliance to laws and regulations, an assessment of IT-governance and applications supporting data management and finally a recommendation and set up of governance structure.
BearingPoint has extensive experience from working with all types of organizations and a toolbox covering both legal and IT aspects to make your GDPR transition as smooth as possible. We can simplify your transformation and help you develop a roadmap and action plan to become compliant in time and without interrupting your daily operations.
*The final legislation is yet to be finalized and this is an early and non-exhaustive description.
[i] Source: www.dimensionalresearch.com