Know the basics
GDPR applies to all organizations that process and hold the personal data of anyone residing in the EU, regardless of location. Therefore, GDPR applies to your organization if it:
- Has an establishment in the EU
- Offers services or goods to residents of the EU
- Monitors an individual’s behavior in the EU
“GDPR will affect not only EU-based organizations, but many data controllers and processors around the globe,” says Bart Willemsen, research director at Gartner. “With the renewed focus on individual data subjects and the threat of fines of up to €20 million or 4% of annual global turnover for breaching GDPR, organizations have little choice but to re-evaluate measures to safely process personal data.”
Owners of that personal data now have extended rights under GDPR. These include:
- The right to be forgotten
- The right to data portability
- The right to be informed, e.g., in case of a data breach, or to receive an explanation, for example, in machine learning systems’ automated decision making
Even if you determine your organization doesn’t need to adhere to GDPR, it’s a best practice to assess its impact on your data processing.
Who in the organization is responsible for compliance?
Security and risk management leaders are of course key players. But the burden is not theirs alone. Business process owners are also responsible and explicitly accept — or increase the mitigation of — residual risks until such risks are within acceptable limits.
“ Involve a multidisciplinary team to translate all the requirements of GDPR”
This applies to all parts of the organization. For example, because marketing is regarded as a set of business processes that roll up to the CMO, the CMO is ultimately responsible for marketing’s GDPR compliance.
“It is clear that security and risk management leaders can’t ‘go it alone,’ and must involve a multidisciplinary team to translate all the requirements of GDPR and prioritize risk mitigation actions,” says Willemsen.
Will my organization be fined for a data breach?
Not necessarily. Barring the absence of any processing activity, 100% security does not exist. Organizations should assume a data breach will happen. They are, however, responsible for the application of sufficient preventative, detective and other countermeasures.
Experiencing a data breach in itself is not sanctionable; however, a data breach — or “every unintended loss of (control over) personal data” — must be communicated to the regulatory authority within 72 hours of detection. When the breach has a potential impact on the subjects, the organization should notify those individuals as well. A subsequent investigation, or even the lack of notification, may reveal noncompliance, which in turn can be reason for regulatory action.
Hire a data protection officer (DPO)
Many organizations under GDPR jurisdiction will be required to hire, appoint or contract a DPO. The role both protects business interests and serves as a champion for data subjects (including customers, clients and employees). GDPR also calls for the DPO to have a reporting line to the “highest management levels” and full access to the board.
“ Organizations can choose between an internal or external model”
While only one DPO can be appointed, the role can be supported by a dedicated team. As long as the DPO is accessible and independent, organizations can choose between an internal or external model, and even a centralized or dispersed team.
“The scope and magnitude of the DPO role makes it difficult for organizations to determine how to best fill the position,” says Brian Lee, practice leader at Gartner.
But it is possible. Most organizations opt for one of three choices:
- Hire an external DPO, organizations may need to pay more, given the market demand.
- Use third-party advisors, such as consultants and lawyers, to supplement legal teams.
- Train existing staff and help them gain industry-recognized credentials.
Use GDPR to create business value
“Don’t lose sight of the fact that implementing GDPR consent requirements is an opportunity for an organization to acquire flexible rights to use and share data while maximizing business value,” says Lydia Clougherty Jones, research director at Gartner.
If data and analytics leaders involve themselves in the right way, they can use GDPR to:
- Enable new use for the data
- Gain greater access to the data
- Increase trust between their organization and data subjects
The first step is to enlist legal support. Data and analytics leaders should then focus on increasing awareness of how better business outcomes can follow if their organization changes the way it handles personal data. Clougherty Jones shares three ways to do this:
- Advocate for a mandate to drive value within the DPO role.
- Map GDPR consent to your organization’s data strategy.
- Establish new information governance protocols.
Explore GDPR content