What is GDPR? You are going to start hearing more and more talk about GDPR. Do you know all you need to know to ready your organization?
The General Data Protection Regulation (GDPR) replaces the European Union (EU) Safe Harbor Directive and will be directly applicable in all EU Member States without the need for implementing national legislation.
GDPR (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the EU.
With volumes of businesses operating across borders, international consistency concerning data protection laws and rights is vital for both organizations, as well as individuals.
According to the UK's Information Commissioner's Office, the GDPR applies to both controllers and processors, placing further obligations on both to protect of records of personal data. Controllers determine how and why personal data is processed, with processors acting on the behalf of controllers.
If you are a processor, the GDPR places specific legal obligations on you, for example, you are required to maintain records of personal data and processing activities and you will have significantly greater legal liability if you are responsible for a breach. The additional coverage on controllers broadened the applicability of GDPR from what was established in the Safe Harbor directive.
Good news! You have some time to prepare for GDPR. It becomes effective May 25, 2018 at which time substantial changes will be required of organizations conducting business activities in the EU in terms of information management best practices.
Why prepare for GDPR?
Many organizations manage privacy records, such as Personally Identifiable Information, across multiple systems, have records from many countries blended together, store records as email attachments, and also store them in collaboration sites with no real taxonomy or metadata scheme to classify them as privacy impacted records. There are several questions to ask when GDPR preparation hits your agenda, all of which touch the surface of the significance of getting ready for this change to organizational information governance requirements.
- What are the new obligations under the GDPR that apply to your organization?
- What gaps exist between your existing level of compliance versus the new standard required under GDPR?
- What changes should your organization make to assure compliance with the GDPR?
- What does a reasonable implementation and roadmap look like and how much should it cost?
In order to answer these questions, an assessment is needed of the existing, current state corporate records and information management program risks.
These include but are not limited to, GDPR applicability, GxP (Life Sciences only), other regulatory risks, and security and other data privacy risks. Additionally, analysis of current state program gaps against industry best practices in areas such as people, process, technology, digital information management and governance should all be addressed and this often includes the the need to develop or update an enterprise data map.
The chief goal in getting prepared for the emergence of GDPR is development of an information governance-based future state roadmap and implementation plan to position your enterprise for the impending regulatory requirements.
What to do first? Establish a set of criteria to serve as the foundation of an information discovery.
With GDPR on the horizon, it will be increasingly more important for impacted organizations to collect and collate data from stakeholders about data repositories that are used to generate, manage and archive data as well as to identify policies, procedures, contract templates and existing inventories of these systems. Enterprise-wide collaboration will help drive the preparation for GDPR.
Fortunately, today is a great day to get started!
Is preparing for GDPR on your agenda for 2017? Got a GDPR preparation question? Let us know in our Leave a Comment section below!