In less than 300 days, the European General Data Protection Regulation (GDPR) will go into effect and forever change the privacy landscape. Leading industry organization, Gartner, Inc., predicts that more than 50 percent of companies affected by the GDPR will not be fully compliant. Of course, the affected companies will include both European and non-European companies. Bart Willemsen, research director at Gartner, says “Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.”
How can organizations prepare for the GDPR? Gartner recommends organizations focus on five high-priority areas:
- Determine Your Role Under the GDPR – The GDPR applies to any organization that processes personal data for the offering of goods and serves to the European Union (EU).
- Appoint a Data Protection Officer – Organizations are required to appoint a data protection officer (DPO) if their processing operations require regular and systematic monitoring or if they have large-scale processing activities.
- Demonstrate Accountability in All Processing Activities – Accountability under the GDPR requires proper data subject consent acquisition and registration. A clear and express action is needed that will require organizations to implement streamlined techniques to obtain and document consent and consent withdrawal.
- Check Cross-Border Data Flows – Data transfers to any of the 28 EU member states are still allowed, as well as to Norway, Liechtenstein and Iceland. Transfers to any of the other 11 countries the European Commission (EC) deemed to have an “adequate” level of protection are also still possible. Outside of these areas, appropriate safeguards such as Binding Corporate Rules (BCRs) and standard contractual clauses (i.e., EU “Model Contracts”) should be used.
- Prepare for Data Subjects Exercising Their Rights – The rights of data subjects have been extended under the GDPR. These rights include the right to be forgotten, data portability and to be informed of a data breach. A well-defined process to handle data breach incidents needs to be documented and followed.