5 tips for achieving GDPR compliance
The European General Data Protection Regulation will have a global impact when it goes into effect on May 25, 2018, according to Gartner Inc. And the firm predicts that by the end of 2018 more than half of companies affected by GDPR will not be in full compliance with its requirements.
"The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well," said Bart Willemsen, research director at Gartner. "Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.
Gartner recommends that organizations act now to ensure they are compliant when the regulation takes effect. They should focus on five high-priority changes to get up to speed with GDPR requirements:
Determine your role under the GDPR
Any organization that decides on why and how personal data is processed is essentially a "data controller," Gartner said. So GDPR applies not only to businesses in the European Union but to all organizations outside the EU processing personal data for the offering of goods and services to the EU, or monitoring the behavior of data subjects within the EU.
Appoint a data protection officer
Many organizations are required to appoint a data protection officer, and this is especially important when the organization is a public body, is processing operations requiring regular and systematic monitoring, or has large-scale processing activities, Gartner said.
Demonstrate accountability in all processing activities
Few organizations have identified each process where personal data is involved, the firm said. Going forward, data quality and data relevance should be decided on when starting a new processing activity, it said, as this will help to maintain compliance in future personal data processing activities. Organizations need to demonstrate an accountable posture and transparency in all decisions regarding personal data processing activities.
Check cross-border data flows
Data transfers to any of the 28 EU member states* are still allowed, as well as to Norway, Liechtenstein and Iceland, Gartner sais. Transfers to any of the other 11 countries the European Commission (EC) deemed to have an "adequate" level of protection are also still possible. Outside of these areas, appropriate safeguards should be used.
Prepare for data subjects exercising their rights
Data subjects have extended rights under the GDPR, Gartner said. These include the right to be forgotten, to data portability and to be informed of data breaches. If a business isn’t prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls, the firm said.