At the Information Security Forum (ISF), we believe that the General Data Protection Regulation (GDPR) will be the biggest shake-up of global privacy law in decades. The GDPR not only redefines the scope of European Union (EU) data protection legislation, but forces organisations on a global scale to comply with its requirements. The regulation will have an international reach, affecting any organisation that handles the personal data of EU residents, irrespective of where it is processed.
Businesses face several challenges in preparing for the reform, including a widespread lack of awareness among internal stakeholders and implementing a culture change across the enterprise to address data protection requirements. The additional resources required to address the obligations are likely to increase compliance and data management costs while pulling attention and investment away from other important initiatives.
But it is not just in the area of privacy where legislation will bite. The increasing burden of compliance and legislative variances across jurisdictions will impact multi-nationals and those businesses targeting international trade. However, in the longer term, organisations who adopt and meet the requirements of the EU GDPR will benefit from the uniformity introduced by the reform. Smart businesses are already seeing the opportunity to turn compliance actions into tangible business benefits.
Preparation Begins Now
For most organisations, the next few months will be a critical time for their data protection regimes as they determine the applicability of the GDPR and the controls and capabilities they will need to manage their compliance and risk obligations. Because of the effort required to report data breaches, it is essential that organisations prepare in advance.
In order to assist businesses of all sizes, the ISF recently released our GDPR Implementation Guide which builds on the ISF digest, Preparing for the General Data Protection Regulation. The ISF GDPR Implementation Guide summarizes the key requirements of the new legislation and lists the questions an organisation needs to address to understand its GDPR readiness.
To get the most out of the ISF GDPR Implementation Guide, organisations should consider their current data protection practices and how to improve those practices in line with GDPR requirements. Utilising the guide, organisations can better prepare, implement, evaluate, and enhance their data protection activities. The GDPR Implementation Guide presents the ISF Approach for GDPR Compliance in two phases:
• Phase A: PREPARE by discovering personal data, determining compliance status and defining the scope of a GDPR compliance programme.
• Phase B: IMPLEMENT the GDPR requirements to demonstrate sufficient levels of compliance.
In collaboration with ISF Members and other experts, the ISF has developed a structured method for achieving sufficient levels of compliance with the GDPR requirements. The ISF Approach focuses on key compliance actions that includes guidance required for an implementation plan, which can be embedded in a continuous improvement cycle. It is supplemented with practical actions, insightful tips and reusable templates to accelerate compliance.
Reform is Coming. Are you Ready?
With reform on the horizon, organisations planning, or already doing business in Europe, should get an immediate handle on what data they are collecting on European individuals, where it is coming from, what it is being used for, where and how is it being stored, who is responsible for it and who has access to it. Optimally, organisations need to complete preparations well before May 2018 in order to leave time for requesting and responding to third party assurances. These activities require resources with the expertise and time to assess contracts and data impacts, issue assurance requests, and process responses.
Data protection, legal, marketing and information security teams should plan for this task so that they are not overwhelmed with requests closer to the enforcement deadline.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
For more information:
Information Security Forum Limited,
London, EC3M 1AJ
UK Tel: +44 (0)203 875 6868
Fax: +44 (0)203 875 6909