At IDC, we believe that GDPR is a game-changer that fundamentally changes the business risk associated with personal data. GDPR has a global relevance because the territorial scope applies to the processing of data of people in the European Union: irrespective of where that processing is physically performed. In addition, there are strict rules over the transfer of personal data to countries outside the EU. Companies that deal with the data of people in the EU therefore are affected by GDPR, whether they know it or not.
With the deadline looming, and a lifetime of compliance after May 25th, focusing on the things that matter is essential. IDC has been researching the implementation dynamics of GDPR for the last three years, so we have a strong base of data on which to base some fundamental truths. Our research shows that there are three broad areas to focus on with GDPR.
The first is that companies must decide on their aspiration towards GDPR. This is the most important question, as it addresses the eventual outcome of any compliance program. It may seem an odd starting point for a compliance activity, but there is no checklist for GDPR. Companies must decide for themselves how to comply with the principles and specified requirements in the regulation. As the regulators themselves say, companies “must make the necessary assessments and reach the appropriate conclusions.” This is why, at IDC, we talk about some companies choosing to adopt a “pragmatic compliance” approach, while others strive to go “beyond compliance” to reach a “compliance exemplar” state. Only the board of an organisation is sufficiently authoritative to make this kind of decision.
The second area of focus is, not surprisingly, the personal data itself. Companies need to have a high degree of confidence that they know what data they retain, that they can find all instances of it, and can evidence their ability to gather it lawfully, manage and secure it, and process it according to the rights of the data subject. This is, as most of us now know, much harder to achieve than it sounds. But it is essential, and gets to the heart of GDPR principles, which are to instantiate the right of privacy as outlined in the European Convention on Human Rights.
At IDC, we are fond of saying that GDPR is all about risk, and risk awareness is the third focus area for organisations. Companies need to take a risk-based approach to their GDPR compliance activities. Only then can they decide where to place emphasis in the pursuit of compliance. Although not specifically stated, GDPR implies a requirement for a continuous state of compliance, which requires companies to be always vigilant with regards to processing personal data this requires a change to the organisational state of mind.
The three key focus areas for GDPR outlined above form the basis of a readiness assessment tool that IDC has developed in partnership with Symantec. Applying our knowledge of the key factors for success informs the short number of questions required to make an initial determination of readiness. You can try the tool yourself, for free, by following this link: Click Here
Wherever you are in your preparations, there’s no time to lose. Join ‘90 Days to GDPR’ webinar hosted by Symantec security experts helping you understand your level of readiness and giving you practical, actionable steps dependant about what stage you are ahead of the May deadline. Register now for English, French, German, Spanish, or Italian:
Source: Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, Article 29 Data Protection Working Party, 3rd October 2017
We encourage you to share your thoughts on your favorite social platform.