Note: This is the ninth post in an ongoing series on GDPR. We’ll be preparing you all the way to May 2018 on topics like: Privacy Protection and Breach Notification, GDPR Compliance Strategies, GDPR Enforcement and Penalties, Potential GDPR Costs, GDPR Auditing and more. Subscribe using the button on the right and you’ll be updated when we post a new article.
GDPR Final Preparations
Each passing day we get closer to the date for compliance with the European Union’s (EU) General Data Protection Requirement (GDPR), 25 May 2018. Many of the initial steps to compliance should have already been taken if your organization will be impacted and have to be compliant with GDPR. Our focus today will be on making final preparations to be ready for GDPR. However, don’t let “final preparations” be misleading. Even though your organization may have taken many steps to compliance, data protection will never be “final”. It will be an ongoing effort to maintain compliance and keeping abreast of new threats, technologies, and data protection standards.
By now most organizations should have made the determination whether they will be impacted by GDPR. The organizations effected should have also made appointments of personnel as necessary. An example would be the appointing of a Data Protection Officer (DPO) to oversee the GDPR program. The DPO should already be assisting in providing accountability for data processing. With GDPR there simply must be accountability and transparency from organizations as it pertains to data protection measures.
So while organizations may have at this point implemented the broad strokes of a GDPR compliance strategy there are some finer points that should be taken in consideration as we approach the date for compliance. Although this first item should have and probably has already been covered it doesn’t hurt to mention that organizations must understand where their data is going. Under GDPR data can only be transferred between the 28 EU Member States and SPECIFIC countries that have been deemed to have an appropriate level of data protections in place. Organizations must know where their data is and where it is transferred to in order to ensure that it is not being transferred to countries not approved to send or receive that data.
Another area in final preparations for GDPR is understanding the rights of citizens going forward. Businesses and organizations will face big changes in this area. In the past vague privacy notices and vague agreements in which customers at times unwittingly give permission for organizations to collect data must change going forward. Privacy notices and customer consents will have to be clear and concise under GDPR. Two of the biggest changes that organizations will have to be aware of are the citizens’ “right to be forgotten” and breach notification standards. Breach notification may in fact be the single biggest change under GDPR.
Many time citizens are not made aware of a compromise of their personal data for months or even years after a breach occurs and as it has been discussed in our previous GDPR posts delayed notifications to citizens will simply not be tolerated under GDPR.
Every day we get closer to 25 May 2018 and a data protection world governed by GDPR. Hopefully most organizations that will be scrutinized under the GDPR standards have taken steps to become compliant with GDPR. As we move forward we will approach GDPR and a new world of data protection together. Stay tuned to this blog series for more updates.