The Changing Dynamics of Data Protection, IT Governance and the International Transfer of Data.
Many organisations face the challenge of needing to comply with the new EU General Data Protection Regulation (GDPR) by May 2018. There is no shortage of advice as to what these organisations need to live up to, but currently, there is little information or guidance as to how to do it. Developing a GDPR Roadmap with an implementation framework should be an early priority to ensure an organisation is focused on doing the right things, in the right way and at the right time.
In many respects, tackling GDPR requires the same approach as addressing most governance, risk management or compliance any legislation: understand the new requirements (the "to-be"), assess the current state (the "as-is"), identify the gaps and then prepare, prioritise and plan how to address the gaps.
However, GDPR will require a more holistic approach as it will impact multiple levels across the organisation with changes at many levels. Therefore a GDPR project should be initiated, and a professional Project Manager appointed who can orchestrate stakeholders from key areas including operations, legal, IT, HR, Information Security and of course the business itself to initially identify and assess the key impacts, typically against the following parameters:
- Process e.g. existing processes and procedures require modifying, new processes needed
- Organisation/people e.g. new roles and responsibilities, new competencies, training, education, awareness, change of mindset
- Technology e.g. changes to existing applications & infrastructure, new systems, supporting tools during and after the project
- Information assets. e.g. changes to current and formulation of new strategies, policies, contracts, agreements
The key impacts, together with the actual GDPR requirements will, in turn, lead to the identification of a number key deliverables that will form the backbone of an organisation's GDPR Roadmap. Underpinned by detailed descriptions of each deliverable and the key tasks and resources needed to produce each deliverable, the roadmap is a vital tool to demonstrate that an organisation will meet the GDPR compliance goal.
Developing a draft GDPR Roadmap can be achieved in a day by gathering the key stakeholders in an organisation in a facilitated workshop.
"The material geographical impact is the legislations extraterritoriality. The moment a website places a tracking cookie on an EU-based device or an app that collects device usage data, you are endangered!"
"Safe Harbor is a commercial program designed to keep European markets open in the face of a potential non-tariff trade barrier".
"Safe Harbor is a self-regulatory framework. The referral mechanism to forward suspected violations by the third party has the appearance of weak enforcement and currently does not have any legitimate foundation".
"The borderless nature of GDPR data flows stresses the need for a new data protection paradigm designed to attach the components of GDPR in a framework".