Reflections/confessions of a GDPR Data Protection Officer (Part III of III)
In the first two reflections, I focused on how we implemented GDPR in the first and some observations on some of the issues and problems my colleagues experienced in the second blog. However the primary concerns was in dealing with the critical GDPR issues, about the role and responsibilities of the DPO, which of course vary considerably due to the culture, level of proficiency and maturity etc.
In this blog, I will try to focus on how GDPR will affect organisations across all industry sectors, and how and why they all businesses must ensure they are up to speed to meet the implementation by May 2018.
Global misuse and abuse of personal data
Implementing GDPR is probably the most reckless undertaking most organisations have undertaken. First management needs to understand the effect of the most complex and least understood data protection law ever created since the US Sarbanes-Oxley (SOX) which was on internal controls over financial reporting. Management, CISO, compliance staff and others are confused because hundreds of pages of more or less practical guidance is issued by the EU regulators. However, the fact is that the same amount of attention was not given by the oversight authorities in interpreting the most basic and essential aspects of the 23-year-old EU Data Protection Directive that is replaced by GDPR. Since hardly any organisation in the EU followed or complied with the primary and critical elements of the old law, implementing and complying with, all of the nuances of such a monstrous law as the GDPR in a few months is an enormous compliance task.
However, there is no reason to panic and management should not simply resort to a Formula 1 solution and buy a Ferrari to hurry to the destination, because inspite of the legislative burdesn to comply with the new rights for individuals and fines of 2 - 4% global annual revenue for breaches, and more, the GDPR implemtation and compliance is a journey not a destination. https://www.eugdpr.institute/gdpr-thought-leadership/
Avoiding the likely toll on reputation and adverse publicity
The new legislation will bring with it some long overdue privacy consistency for all EU residents. Above all both for employees and global organisations across Europe and the world, GDPR will apply for companies that offer goods, services, store, host, access or monitor EU customers, so that it will be a level playing privacy field for all organisations.
In 2018 the GDPR will finally become applicable and enforceable, however, the central question is what that will mean in practice for the organisations when implementing Data Protection, Data Privacy and IT Security across the organisation. Some of the most important milestones are:
- How to avoid accidental breaches and ensure that all employees are prepared, aware and understand what they need to do to remain compliant with the GDPR.
- Besides emails, human error due to lack of understanding and knowledge, has proven to be the primary cause of data breaches in the past. Careless mistakes make-up for a significant percentage of security law violations and in future subsequent fines.
- Organisations must, therefore, ensure that they are up to speed by conducting awareness seminars or online training for all employees. Start with three critical issues of GDPR and build on that awareness training with the next three GDPR issues and so on.
Noncompliance could have disastrous consequences for organisations
We will focus on culture/discipline (structure), accountability (process) and the right to be forgotten (mandate) in our next awareness training in cooperation with The EUGDPR Institute. https://www.eugdpr.institute/training/ and http://www.eugdpr.institute/wp-content/uploads/2017/10/GDPR-Staff-Awareness-Introduction.pdf.
Adequacy of design and default
All companies should send their representatives to The EUGDPR Institutes seminars in Copenhagen, Sofia, Helsinki, London, India or China as the GDPR regulatory action becomes more focused, either for a structured implementation or updates. At the one or three day seminars companies can get a better view of where the GDPR priorities should lie in relation to: building a comprehensive GDPR framework of internal policies, privacy in design, robust governance mechanisms, strengthening of consent, the introduction of new rights of the data subjects, preparing for cybersecurity breaches, developing a workable system of data protection impact assessments, review of effectiveness and efficiency of security solutions, the role and responsibilities of a pragmatic DPO or similar, tightening vendor agreements, legitimising international data and transfers and more. Therefore there can be no excuse for all these GDPR issues can be addressed before the May deadline as structured guidance, templates, generic policies etc. will be provided at the seminars. https://www.eugdpr.institute/events/
No company or senior management should settle for anything less than the highest standards of privacy, data protection and IT-Security in spite of time constraints. Not following structures and integrated approach is not an option and could have dire repercussions for data protection and processes. Multinationals, on the other hand, must seek to operate within the one-stop-shop GDPR framework and reap the benefits of EU data protection as they continue to apply it across the organisation
If time and resources permit, companies that have implemented the basics of GDPR in their business environment, can now make use of the advantages of connecting big data to advanced IT solutions and platforms. These companies can even use the benefits of algorithms and artificial intelligence to implement GDPR with immaculate accuracy and for early exposure mechanisms in multiple detections of the GDPR components.
Tone-at-the-Top and the corporate strategic IT agenda
The GDPR security and data protection policies need entirely new roles and responsibilities to address the data and safety information system within the organisation and to proactively monitor their networks and identify any potential security threat in real-time.
Preparation for the implementation of the new legislation is essential. The implementation groundwork must include a review of the current organisational setup, potential system upgrades, process changes, and provide all stakeholders with new implementation guidelines with a timeline and thresholds for IT governance and compliance.
The liability, penalties, lawsuits and possible reputational damage in case of a breach or non-compliance make the GDPR data protection a boardroom issue. The Board of Directors in all organisations, must seriously consider the importance of how to ensure compliance with the GDPR, cybersecurity, and data security and rank it high on the strategic data security and IT agenda.
For part I of the DPO observations see: https://www.linkedin.com/pulse/confessions-reflections-dpo-part-i-iii-kersi-porbunderwalla/
For part II of the DPO observations see: https://www.linkedin.com/pulse/2018-gdpr-update-from-eugdpr-institute-reflections-ii-porbunderwalla/
The EUGDPR Institute has several one to three-day FAS and DPO seminars planned that well could provide you with the guidance you need to stray your GDPR journey in a structured and integrated way.
Copenhagen, I day. http://eugdpr.institute/2018/jan/fas/
Copenhagen 3 day. http://eugdpr.institute/2018/jan/dpo/index-web.html
Sofia 3 Day. http://eugdpr.institute/2018/jan/sofia/dpo/index-web.html
Helsinki 1 day. http://www.eugdpr.institute/2018/feb/espoo/fas/index.html
Helsinki 3 day. http://www.eugdpr.institute/2018/feb/espoo/dpo/index-web.html
London 1 day. http://eugdpr.institute/2018/cass/080218/mailer/
London 3 day. http://eugdpr.institute/2018/cass/220218/mailer/