The General Data Protection Regulation covers personal data of European Union residents and affects firms holding a person’s data moving across EU jurisdictions.
Designate a Data Protection Officer
The Information Security Forum (ISF) anticipates that most organizations will need to designate a data protection officer (DPO), and the International Association of Privacy Professionals' (IAPP) research suggests that up to 75,000 new DPOs will be required worldwide
The likely shortage of qualified individuals, coupled with the length of typical corporate hiring cycles, means that organizations that have not yet designated a DPO should do one of three things: start recruitment now, identify an internal candidate and start training him or her, or seek external expertise to fulfill the role requirements.
The GDPR Moves to the Forefront
The GDPR is putting data protection practices at the forefront of business agendas worldwide. For most organizations, the next 18 months will be a critical time for their data protection regimes, as they determine the applicability of the GDPR, as well as the controls and capabilities they will need to manage their compliance and risk obligations.
Because of the effort required to report data breaches, it is absolutely essential that organizations prepare in advance. For many, this will require a more coherent incident response process, along with closer cooperation between multiple departments, in particular, the legal unit. This coherence is essential, as Data Protection Authority’s (DPAs) will want to see a transparent rationale for remediation actions taken in response to a data breach.
The cost of non-compliance is certainly going to increase, not only from new sanctions and fines, but also in the court of public opinion. Reporting requirements will steadily push more data breaches into public view, creating reputational risks that many organizations have thus far avoided. Companies that establish themselves as trusted data protectors will benefit commercially.
With reform on the horizon, organizations that are already doing or are planning to do business in Europe should get an immediate handle on what data they are collecting on European individuals, where it is coming from, what it is being used for, where and how it is being stored, who is responsible for it and who has access to it.
Don’t wait for the reform to be instituted. By that time, it will be too late.
Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, bring-your-own-device policies, cloud computing, and social media across the corporate and personal environments. Previously, he was a senior vice president at Gartner.