Cybersecurity

EU’s Data Protection Regulation Is Right Around the Corner

There are now fewer than 60 days remaining before the European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25. Is your company prepared? If not, here’s a procrastinator’s guide to speeding up your organization’s compliance.

GDPR

aurielaki / iStock / Getty Images Plus / Getty Images

“GDPR will affect virtually any company in any sector around the world that processes the personal data of EU residents and many chief information officers (CIOs) are losing sleep on how to best prepare,” explains Justhy Deva Prasad, MBA, Chief Data Partner at Claritysquare, a global technology firm that helps Fortune 500 clients around the globe transition to the digital age safely.

“These new regulations have sparked a sense of unprecedented urgency to data management and data protection but they will require an enterprise level view to address compliance effectively, efficiently, and more importantly, dare I say, profitably,” says Justhy, author of the new book The Billion Dollar Byte: Turn Big Data Into Good Profits, The Datapreneur Way (Morgan James, 2018). “While ‘absolute compliance’ may not be possible for many organizations by May 25th, the potential penalties for noncompliance are not trivial, reaching as high as 4% of global revenue or 20 million euros, whichever is greater. So it’s going to cost you if your C-Suite get things wrong.”

Justhy, who has been interviewed by The Scientific American, U.S. News & World Report, and Global Trade Magazine, provides a list of 5 things every CIO must do to prepare for GDPR compliance:

  1. Understand that data is a trail of your business processes and now this data must be managed with increased record-keeping. This is not new to most companies; however, the most undisciplined companies are going to be penalized for this negligence and will have to get their house in order. Thankfully, most IT departments are capable enough.
  2. Get good at performing data protection impact assessments (DPIAs). Ensure that DPIAs are an integral part of your existing business and technology processes. The GDPR requires organizations to conduct data protection impact assessments for any new processing or changes to processing deemed to represent a high risk to the privacy and protection of EU resident personal data. This calls for a high level of transparency of both the process as well as data landscape.
  3. Incorporate privacy by design into your culture and DNA. The GDPR requires privacy and data protection controls to be incorporated by design into any new or existing systems or processes that involve EU resident personal data. Ensure that communications and training programs address this as a part of your culture initiatives.
  4. Know and treat data sensitively while considering data portability and erasure. Under the GDPR, organizations must provide EU residents with the ability to access, correct, and erase their data, as well as allow them to move it to another service provider if they so choose.
  5. Step up to a culture of managing data risk in your business. Get control over third-party risk management. Remember, that person-centric data is most valuable to your business anyway. It is the billion-dollar byte. GDPR is now an opportunity to get your act together, even when third parties are managing your data.

A GDPR Checklist For CIOs

Justhy offers the below checklist for cybersecurity and IT leaders:
The Billion Dollar Byte

  • Make sure that decision makers and key people in your organization are aware that the law is changing to the GDPR.
  • Document what personal data you hold, where it came from and who you share it with.
  • Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  • Update your procedures and plan how you will handle requests to take account of the new rules.
  • Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
  • Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
  • Start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
  • Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  • Enable Data Protection by Design and Data Protection Impact Assessments.
  • Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements.
  • If your organization operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
Justhy PrasadData scientist Justhy Deva Prasad serves as Chief Data Partner at Claritysquare, a global technology firm that helps companies leverage data to reduce costs, recapture lost value, and generate new revenue. His upcoming book, The Billion Dollar Byte (Morgan James, January 2018), provides a blueprint for companies big and small that want to implement a winning data strategy. A world class expert on the application of data for creating economic value in business, Justhy previously worked for IBM Labs, the research and development campus for IBM’s global customer base.

For over 15 years, Justhy has helped Fortune 500 clients around the globe transition to the digital age. His clients have included Zurich Insurance Company, Credit Suisse, Aetna, McKesson, and many others. Justhy attended the London Business School, is a mechanical engineer, and holds his MBA degree with a specialization in marketing.