GDPR – How it works and what steps to take!

Share this post:

Don’t panic when you hear GDPR, make sure to have your systems and processes in order. It is now become a law, although member states have a two- year period to implement into national law. This means that companies will be expected to be fully compliant from May 25th 2018.

Organisations outside the EU are subject to this regulation when they collect data concerning any EU citizen. However, 50% of global companies say they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate, and this may lead many companies to appoint a Data Protection Officer.

The new EU regulation has affected businesses worldwide. What are the business implications of GDPR? How will business, whether based in the EU or not, comply with the long list of do’s and don’ts under GDPR.

Here are the Top Three things that companies must be aware of:

Personal data: It is defined as any information relating to an identified or identifiable natural person. This includes online identifiers, such as IP addresses and cookies if they are capable of being linked back to the data subject.

This also includes indirect information, which might include physical, physiological, genetic, mental, economic, cultural or social identities that can be traced back to a specific individual. There is no distinction between personal data about an individual in their private, public, or work roles – all are covered by this regulation.

Penalties:  There will be potentially be a substantial increase in fines for organisations that do not comply with this new regulations. Penalties can be levied up to the greater of ten million euros or two percent of global gross turnover for violations of record-keeping, security, breach notification, and privacy impact assessment obligations.

These penalties may be doubled to twenty million euros or four percent of turnover, for violations related to legal justification for processing, lack of consent, data subject rights and cross-border data transfers.

Organizational measures: Companies will be required to implement appropriate technical and organisational measures in relation to the nature, scope, context and purposes of their handling and processing of personal data. Data protection safeguards must be designed into products and services from the earliest stages of development. These safeguards must be appropriate to the degree of risk associated with the data held.

A few key steps for organisations to consider are –

• Ensure key departments are aware that the law is changing, and to anticipate the impact of GDPR.
• Document what personal data is held, where it came from and with whom it is shared.
• Review current privacy notices and make any necessary changes.
• Review procedures to address the new rights that individuals will have.
• Plan how to handle requests within the new time frames and provide the required information.
• Identify and document the legal basis for each type of data processing activity.
• Review how consent is sought, obtained and recorded.
• Make sure procedures are in place to detect, report and investigate data breaches.
• Designate a Data Protection Officer to take responsibility for data protection compliance.

GDPR affects various aspects of an organization and there’s no magic bullet to help them get there.  It requires holistic thinking and approach towards people, process, policy and instrumentation. Technology is of course the great enabler and accelerator.

IBM offers a comprehensive approach to prepare for GDPR compliance with solutions and services from assessment to full-scale implementation. Our approach covers all necessary activities to support GDPR readiness across five domains: GDPR governance, employee training and communications, processes, data and security. IBM services and solutions are available to support you at each phase in the GDPR readiness journey. IBM Information Lifecycle Governance provides insight into all personal data and the tools and methodology to syndicate, instrument and enforce policies. IBM Security provides pervasive and intelligent internal and external network defences, incident response and security restrictions. Our Citizen Interaction Centre is pivotal in helping fulfil citizen GDPR rights and our Optim solution brings method, tools and state-of-the art technology to control and desensitise personal data.

Start your GDPR journey with IBM. Time to act is now!