In May 2018, the General Data Protection Regulation went into effect for European Union citizens, creating the need for organizations to take a hard look at their data collection and storage practices. The GDPR was designed to protect data privacy of EU citizens and to adjust organizations’ approaches to collecting EU citizen data.
These regulations apply to future data, as well as any data collected in the past. According to Gartner, more than 50% of companies will be unprepared for full GDPR compliance by the end of 2018. Preparing for the future of big data now comes with the extra tasks of reaching GDPR compliance.
GDPR will have big implications for companies, as not meeting compliance can result in potential fines of up to 4% or $25 million, whichever is greater, of annual revenue, according to Oracle.
“The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well,” said Gartner research director Bart Willemsen in a press release. “Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.”
To ensure full GDPR compliance, companies should enlist legal counsel, but here are some suggestions on lining up with GDPR regulations.
Focus on High-Priority Changes for GDPR Compliance
Gartner gives five high-priority changes for companies looking to get in line with the GDPR requirements.
- Determine your role under the GDPR. The GDPR affects not only EU businesses, but any businesses outside the EU that collect or process personal data for EU citizens. All organizations should choose someone to be a point of contact for GDPR data protection authority and data subjects.
- Appoint a data protection officer. When an organization is public and has many operations to process data, it should find a data protection officer to monitor all these processes.
- Demonstrate accountability in all processing activities. In other words, make sure that the processes in place are quality and relevant. All organizations affected will have to show transparency in all data processing activities, as well as the decisions behind those activities. Additionally, the GDPR mandates that the subject consent to all data acquisition.
- Check cross-border data flows. Data being moved to EU member countries is still permitted, and the 11 countries within the European Commission allow it if the transfer has an adequate level of protection. Outside of the EU, companies with EU citizens’ data need to make sure they use the right mechanism to ensure GDPR compliance.
- Prepare for data subjects exercising their rights. Under the GDPR, they have the right to be removed from company systems and to see their data, as well as be informed when or if a breach occurs.
The IBM GDPR Framework
IBM built out a framework for companies to help them in their GDPR readiness, and the goal of this framework is “to help clients manage security and privacy effectively in order for them to reduce risks and therefore incidents.”
The five steps of the framework are:
- Assess: create GDPR assessments of risk and privacy across many platforms, including people, data, processes, security and governance to create a roadmap
- Design: make GDPR compliant standards for each area of the organization to define an implementation plan
- Transform: generate new procedures and tools, as well as GDPR training, to enhance processes
- Operate: keep up with new processes and monitor data subject consent and access rights to establish an operational framework
- Conform: continue to monitor and assess GDPR standard adherence to ensure continuous reporting
The GDPR requires more security controls, as well as more protection for personal data. IBM poses that artificial intelligence will play a role in helping companies keep within GDPR compliant practices.
The Benefits of GDPR
While the GDPR does create extra costs, it also provides much-needed structure, according to The Economist. Implementing well-defined processes and ensuring transparency gives the data subjects more control over what information they have given to companies. Thus, GDPR makes sure that data collection is taken much more seriously and protects EU citizens. Companies will have to practice better “data hygiene,” meaning they need to examine the type of data, risks of keeping it, protecting it and cleaning up what’s left.
Those who are not yet ready for full compliance will need to pay attention to how the laws are enforced, as the meaning of compliance may evolve.
“The legislation is four to five times more complicated than existing law,” said Eduardo Ustaran with law firm Hogan Lovells, in an interview with The Economist. “We’ll probably spend the next 20 years figuring out what it means to be compliant.”
Jacksonville University’s online business programs, like the Master of Science in Applied Business Analytics, can give professionals the information they need to help make data-driven decisions that will power companies toward GDPR compliance.