The GDPR – the EU's newly introduced legal framework for the protection of personal data – is now in place, and will be enforced from May 25, 2018. Organizations have less than 18 months (from the publication date of this white paper) to ensure they have appropriate organizational and technological measures in place to ensure compliance. The cost of non-compliance is extremely high in both financial and nonfinancial terms, making the option of doing nothing in response to GDPR invalid. A few concluding statements and implications follow.
While the word “General” appears in the title of the GDPR – signifying a newly harmonized and unified approach to data protection to be applied across Europe – the “G” could equally stand for “Global.” The Regulation applies to every organization anywhere in the world that controls or processes personal data of EU residents, and the financial penalties regime for organizations found in non-compliance is based on total worldwide revenue, not only on revenue earned within EU member states.
In summarizing this white paper, there are three implications of the GDPR that decision makers must consider:
• Re-examine your data strategy
The implications of the GDPR for organizations can be summarized simply: every affected organization needs to immediately undertake a significant reexamination of its organizational data strategy related to personal and sensitive personal data. Specific requirements in the GDPR need to be planned for, and organizational and technological approaches implemented to resolve problems, strengthen policy and protections, and mitigate against the worst outcomes. In accordance with the general principle of Article 25 of the GDPR, data protection must be “by design and by default.” Failure to adequately prepare will push firms into a compliance quagmire once May 2018 arrives.
• Non-EU firms have to play rapid catch-up
The second major implication of the GDPR is for those organizations that were not subject to the earlier EU data protection directive by virtue of not being based in one of the member states. The new, level playing field introduced by the GDPR applies to all firms everywhere if they control or process personal data on EU residents. Organizations previously subjected to the data protection directive have had a 20-year head start to develop the appropriate organizational and technological approaches to operating successfully in Europe. The GDPR calls for new capabilities for these firms, but the foundation is already in place.
For organizations newly impacted by the GDPR, there is a lot of catch-up required.
• Organizational + technological responses
Third, although we have focused mainly on technological responses to the GDPR in this white paper, technology alone is insufficient to comply with its mandates. By all means, every organization should embrace the best technology on offer, but this has to be done as one coordinated element of a wider organizational response. Achieving GDPR compliance is not something the IT department can do alone. Compliance will require a set of coordinated and appropriate responses from the organization as a whole, with strategy, policy, training, and governance processes needed based on expertise from various groups, including Executive Management, Legal, Human Resources, Training, and the IT Department. And finally, since the sanctions regime could threaten the very existence of a firm, Board level visibility will be essential.