A quick reference guide to understand and prepare for the EU’s Global Data Protection Regulation by the May 25 deadline.
Today’s headlines are saturated with catastrophic scenarios of what will happen if organizations fail to comply with the European Union’s (EU) Global Data Protection Regulation (GDPR). Yes, there will be penalties for organizations not in compliance by the May 25, 2018 deadline. But don’t get sidetracked by the mountain of “what if’s.”
Focus on what you can do now to ensure you are ready. The result will be a fully compliant organization better able to safeguard its customers’ personal data — a must-have in an era where consumers are demanding more privacy, transparency and control over their information.
Security and risk management leaders are of course key players. But the burden is not theirs alone
You don’t have to go it alone. Gartner analysts have trusted insights to help you understand GDPR and practical advice on how to prepare for it. We summarize here what matters most for a variety of business and IT leaders — from CIOs and chief information security officers (CISOs) to chief marketing officers (CMOs) and legal and compliance leaders. For those of you who are prepared but still have questions, we’ve got you covered too. Read on.
Know the basics
GDPR applies to all organizations that process and hold the personal data of anyone residing in the EU, regardless of location. Therefore, GDPR applies to your organization if it:
- Has an establishment in the EU
- Offers services or goods to residents of the EU
- Monitors an individual’s behavior in the EU
“GDPR will affect not only EU-based organizations, but many data controllers and processors around the globe,” says Bart Willemsen, research director at Gartner. “With the renewed focus on individual data subjects and the threat of fines of up to €20 million or 4% of annual global turnover for breaching GDPR, organizations have little choice but to re-evaluate measures to safely process personal data.”
Owners of that personal data now have extended rights under GDPR. These include:
- The right to be forgotten
- The right to data portability
- The right to be informed, e.g., in case of a data breach, or to receive an explanation, for example, in machine learning systems’ automated decision making
Even if you determine your organization doesn’t need to adhere to GDPR, it’s a best practice to assess its impact on your data processing.
Who in the organization is responsible for compliance?
Security and risk management leaders are of course key players. But the burden is not theirs alone. Business process owners are also responsible and explicitly accept — or increase the mitigation of — residual risks until such risks are within acceptable limits.
Involve a multidisciplinary team to translate all the requirements of GDPR
This applies to all parts of the organization. For example, because marketing is regarded as a set of business processes that roll up to the CMO, the CMO is ultimately responsible for marketing’s GDPR compliance.
More for marketers: Get Ready for New European Data Protection Regulations
“It is clear that security and risk management leaders can’t ‘go it alone,’ and must involve a multidisciplinary team to translate all the requirements of GDPR and prioritize risk mitigation actions,” says Willemsen.
Will my organization be fined for a data breach?
Not necessarily. Barring the absence of any processing activity, 100% security does not exist. Organizations should assume a data breach will happen. They are, however, responsible for the application of sufficient preventative, detective and other countermeasures.
Experiencing a data breach in itself is not sanctionable; however, a data breach — or “every unintended loss of (control over) personal data” — must be communicated to the regulatory authority within 72 hours of detection. When the breach has a potential impact on the subjects, the organization should notify those individuals as well. A subsequent investigation, or even the lack of notification, may reveal noncompliance, which in turn can be reason for regulatory action.
Hire a data protection officer (DPO)
Many organizations under GDPR jurisdiction will be required to hire, appoint or contract a DPO. The role both protects business interests and serves as a champion for data subjects (including customers, clients and employees). GDPR also calls for the DPO to have a reporting line to the “highest management levels” and full access to the board.
Organizations can choose between an internal or external model
While only one DPO can be appointed, the role can be supported by a dedicated team. As long as the DPO is accessible and independent, organizations can choose between an internal or external model, and even a centralized or dispersed team.
“The scope and magnitude of the DPO role makes it difficult for organizations to determine how to best fill the position,” says Brian Lee, practice leader at Gartner.
But it is possible. Most organizations opt for one of three choices:
- Hire an external DPO, organizations may need to pay more, given the market demand.
- Use third-party advisors, such as consultants and lawyers, to supplement legal teams.
- Train existing staff and help them gain industry-recognized credentials.
Read more: How to Appoint a Data Protection Officer
Use GDPR to create business value
“Don’t lose sight of the fact that implementing GDPR consent requirements is an opportunity for an organization to acquire flexible rights to use and share data while maximizing business value,” says Lydia Clougherty Jones, research director at Gartner.
If data and analytics leaders involve themselves in the right way, they can use GDPR to:
- Enable new use for the data
- Gain greater access to the data
- Increase trust between their organization and data subjects
The first step is to enlist legal support. Data and analytics leaders should then focus on increasing awareness of how better business outcomes can follow if their organization changes the way it handles personal data. Clougherty Jones shares three ways to do this:
- Advocate for a mandate to drive value within the DPO role.
- Map GDPR consent to your organization’s data strategy.
- Establish new information governance protocols.
Explore GDPR content
|Listen to podcasts|
Gartner clients can read more in the research listed below. Note that some Gartner research is only available to specific types of clients.
For clients who are IT leaders:
- How Data and Analytics Leaders Can Leverage GDPR for Increased Business Value by Lydia Clougherty Jones, et al
- GDPR Clarity: 19 Frequently Asked Questions Answered, by Bart Willemsen
- Focus on Five High-Priority Changes to Tackle the EU GDPR by Bart Willemsen
- Toolkit: General Data Protection Regulation Readiness Schedule by Wam Voster and Bart Willemsen
- Predicts 2018: CRM and Customer Experience by Ed Thompson, et al.
For clients who are marketing leaders: What Marketers Need to Know About GDPR: Frequently Asked Questions Answered by Andrew Frank.
For clients who are legal and compliance leaders: Visit the CEB, now Gartner, GDPR site.