The countdown has begun. Just under two years from now – 25 May 2018 to be exact – the EU’s new General Data Protection Regulation [ EU GDPR ] will come into law. It will apply across all nations throughout the European Union, and it means that the EU’s data protection law will also extend to cover all foreign companies processing EU residents’ data. It’s going to result in a huge increase in compliance obligations for companies. In particular, the potential penalties of up to 4 per cent of an organisation’s worldwide turnover is making data protection a much more prominent issue in the minds of CEOs and boards.
So what can organisations do to prepare for EU GDPR ’s arrival? I recommend breaking down the planning into four stages. The first six months should be an education period for anyone tasked with data protection: educating yourself, and educating your staff because that’s the quickest win you can get. This is also the time to seek a sponsor at management level.
During this first phase, look closely at the technical solutions your organisation has already implemented. This may mean performing a penetration test to check for vulnerabilities if you have the internal resources to do it, or engaging with an external party to perform the test. This is also the time to look at how data transfers affect your organisation. Ask questions such as whether you’ll need to look at data transfer outside the European Union. For this exercise, you will definitely need to engage with an outside party that understands GDPR as well as the new EU-US Privacy shield and how their implications will specifically affect your business.
The second and next stage is about writing your organisation’s policies for handling data, mapping the ecosystem where data lives, based on the knowledge you gathered in the previous stage about where the gaps are. This is the time to start assembling the pieces of your plan, and also to begin training for the people in your organisation who will be affected by the new GDPR rules.
After that, the following six months making up the third phase is about putting in place the technical measures and the procedures for managing the process on an ongoing basis.
Within that 18-month timeframe, you will ideally get to a stage where you are theoretically ready for GDPR from a practical point of view. I recommend you use the final six-month phase to engage with the applicable data protection commissioner’s office. That can be a valuable sense check to see if you’re going in the right direction. Now is also the time to work with an external data protection expert to validate your approach. This exercise will cover your data protection policies, incident response plans, training programmes and agreements with your third-party providers. By now, your board should be fully aware of the potential fines for non-compliance, and your CEO should be on board.
The initial text of the EU GDPR was two years late so it’s possible, albeit very unlikely, that organisations will get an extension. If there is, it’s sure to be very short, so I recommend that there’s not a moment to lose.
In fact, VigiTrust is hosting a dedicated GDPR and Privacy Shield briefing on 21st June at the Hibernian Club in Dublin. Co-hosted with the ICT working group of the France Ireland Chamber of Commerce, the event will set the scene for the new EU GDPR regulations and Privacy Shield and their impact on security and compliance for French-Irish trade.
Starting at 5.30, speakers from the legal and financial sectors including myself, Mathieu Gorge, and Victor Timon, Consultant at Maples and Calder will discuss what EU GDPR means, its impact inside and outside the EU and its practical aspects. Dave Prendergast of Depfa Bank will talk about how EU GDPR impacts his daily life as a CISO. Lastly, Eoin Scott of the Motherboard Group will moderate a Q&A panel at the end, which is your chance to ask questions. The evening will wrap up with networking and drinks
At the event, we’re going to launch VigiTrust’s new EU GDPR e-learning and also a GDPR compliance platform that covers education, policies, vulnerability management and business impact assessment in an automated tool to conduct business impact assessment and a secure repository for demonstrating compliance.
Registration details are available at the link above. We hope to see you there.