The General Data Protection Regulation covers personal data of European Union residents and affects firms holding a person’s data moving across EU jurisdictions.
By Steve Durbin
The General Data Protection Regulation (GDPR) officially goes into effect in May 2018 and will have an international reach, affecting any organization that handles the personal data of European Union residents. This means that any company holding an individual’s data that moves across EU jurisdictions will be affected—even if the company is not based in Europe. Since the account holder’s data is moving across the jurisdiction, the company is responsible for it.
The GDPR aims to establish uniform data protection levels for all EU residents and will focus on how organizations handle personal data. Businesses face several challenges in preparing for this reform, including a lack of awareness among major inner stakeholders. The benefits of the GDPR will create several compliance requirements, from which few organizations can completely escape.
However, businesses of all sizes will benefit from the EU-wide uniformity introduced by the reform and will be able to avoid circumnavigating the current array of often-contradictory national data protection laws. Worldwide benefits will accrue as countries in other regions pay more attention to defending mission-critical assets. The GDPR has the potential of serving as a healthy, scalable and exportable system that could become an international benchmark.
The GDPR is not the only data protection obligation with which organization must comply. Therefore, it should be treated as part of a broader data protection management system that encompasses the people, processes and technologies used to control personal data processing.
This can include requirements from a variety of sources, such as local legislation, case law and treaties; sector-specific regulatory requirements; and commercial obligations arising from contractual terms and publicized organizational commitments for personal data processing (e.g., privacy notices and terms and conditions).
These sources, combined with an organization’s values, attitude to risk and compliance demands, largely determine how personal data is protected. Although values, risk and compliance are often in tension, an organization can take a holistic approach, where its values guide the balance between risk and compliance.
Prepare for GDPR Compliance
Before the GDPR begins to be enforced, an organization should have completed its preparations. In doing so, it should ask the following questions:
Have responsibility and funding for GDPR compliance been assigned?
Can the skills to achieve GDPR compliance be deployed, developed or recruited?
Can the requirements of the GDPR be implemented by May 2018?
Demonstrate Compliance With Third Parties
One of the requirements of the GDPR is that a data controller be responsible for the actions of its data processors. The controller should also ensure that the data processors have suitable controls in place to handle personal data in accordance with the GDPR.
Organizations should be able to notify partners of requests to rectify or erase personal data, or to restrict or change the purposes of processing. This will require organizations to review their processing relationships with all third parties and to satisfy themselves that third-party controls and capabilities comply with the GDPR. Similarly, an organization should expect to have to satisfy those third parties of its own controls.
In practice, an organization should have completed its GDPR preparations well before May 2018 to gain assurance from—and provide assurance for—third parties’ requests. This will require resources that have the expertise and time to issue and process those requests. Data protection, legal and information security teams should plan for this task so they will not be overwhelmed with requests closer to the enforcement deadline.