Now that the EU General Data Protection Regulation (GDPR) is upon us…what happens now? In this industry perspective, Steve Schlarman of RSA writes that GDPR compliance isn’t a one time affair – the requirements of the law are likely to be woven into the fabric of how businesses operate inside and outside the EU.
When the European Union (EU) General Data Protection Regulation (GDPR) rolled into effect on 25th May 2018, it brought many changes to organizations that handle personally data of European residents. It also brought with it a question: ‘what happens after the deadline?’ The fact is: addressing the requirements related to the GDPR did not end on May 25th, the day GDPR became effective. Rather, the regulation lays a foundation that must be folded into operational risk and compliance strategies.
This GDPR regulation is intended to strengthen privacy rights and the security of personal data of individuals within the EU, whether that data is stored inside or outside of the EU. The scope of the GDPR encompasses all businesses established in the EU as well as any business outside the EU that controls or processes personal data related to individuals in the EU, making GDPR a truly global compliance requirement.
Preparation before the deadline has been focused on understanding the nuances of the regulation and applying the requirements to the business. As with all compliance legislation, this step is critical in understanding how the requirements affect the organization, what the overall impact is and what the next steps are in establishing, maintaining and reporting on compliance. While GDPR has specific articles defining particular steps to be taken, many aspects of GDPR use established data security and compliance management best practices.
Regulatory obligations generally have an immediate effect on organizational policies and standards. GDPR is no different. Based on your organization’s interpretation and strategy for compliance, policies may need to be altered or established, employees may require education and training and controls may need to be implemented or modified within the business as appropriate. This effort should not have stopped on May 26, 2018 – the day after the GDPR went into effect. These practices should become established elements of your business operations.
[Interested in GDPR? Check out this podcast: Episode 97: On eve of GDPR frightening lack of data privacy, security in US]
Another key component of compliance programs is the monitoring and measurement of internal controls. Ensuring controls are properly designed and operating effectively is an ongoing objective of compliance functions. With an organized, managed process to monitor controls and escalate issues identified during control testing, visibility into the state of compliance can be improved to address the risk in a timely manner. Organizations that react quickly to emerging issues are more resilient and can reduce the cost of GDPR compliance.
Finally, GDPR is all about data. The regulation starts and ends with protection of personal data. Many organizations may approach GDPR with a point in time snapshot of data processing activities. However, cataloging, assessing risk to and assigning ownership of data processing activities must be an ongoing part of your privacy strategy. Organizations must secure personal data in a number of different ways, and be able to demonstrate due diligence in protecting and processing data. This includes steps to restrict access, maintain personal rights to personal data and address data breaches in a timely manner in addition to other elements of data protection.
[You might also like: Report: EU may slap new GDPR Fines on Old Data Breaches]
Globally, organizations have been actively assessing the impact of GDPR on their business and data privacy and management operations. With GDPR now in effect, establishing and maintaining compliance designed to protect personal data of an EU resident requires an active, ongoing, operational privacy program. This program must include many facets from establishing policies and training, testing and monitoring controls and implementing data governance processes. GDPR is not a project that ended on May 25th 2018, but a compelling event to approach data privacy with a holistic strategy that extends long beyond the deadline.