The general data protection regulation
On May 25, 2018 the new General Data Protection Regulation (GDPR) will enter into application and becomes directly binding within member states in the European Union. The regulation will replace current national laws on personal data processing and includes strengthened individual rights and stricter requirements for companies in the processing of personal data.
The regulation impose increased requirements on the companies’ handling of personal data and will lead to changes in both Organization, IT-environment, Processes and Governance. The regulation will mean that existing requirements are amplified and new rules are introduced.
Companies are required to take action in order to adapt their business to the requirements of the regulation to minimize the risk of sanctions, which can be up to 20 million Euro or 4 percent of the global annual turnover. Given the extent of changes following GDPR, it is now time to initiate the change process.
Key changes and challenges
FCG see the following key changes and challenges in the regulation as follows:
- Strengthening of the Individual Rights
- Clearer rules on Privacy by Design
- Tougher requirements regarding consent
- Introduction of sanctions for violation and non-compliance
- Abolishment of national regulation and few national discretions
- Requirement for action when personal data breach occur
- Requirements regarding privacy impact assessment/risk analysis (PIA)
- Stricter rules for cross-border processing
- Increased demands regarding roles and responsibilities (Organization)
What you need to do
In order to ensure compliance with the new regulation it’s necessary to initiate the change process in time. Below are some of the things you need to consider to be able initiate change and effectively make progress.
Raise the issue at management level. The management needs to understand the regulation and the changes that follows in terms of both responsibility as well as consequences (responsibility for the operations and high penalties for non-compliance).
Identify the company’s handling of personal data. To be able to understand which GAP:s your company faces, against the future regulation, it is necessary to map the current situation regarding handling of personal data. This applies particularly regarding sensitive personal data since handling such data is associated with more stringent requirements.
Perform a GAP-analysis. In order to enable adaptation of the business to the requirements, it is essential to carry out an analysis, for example based on a GAP methodology, in order to compare current processing of personal data with desired course of action, i.e. regulation- and internal requirements.
Review the organization and roles, and appoint a Data Protection Officer. It will be required to have a distinct internal organization regarding personal data processing as well as clear responsibilities. Knowledge of the implications of the regulation is key for both management, decision makers and those who operationally works with the personal data processing. If, for example, the company has an extensive processing of personal data, the regulation require companies to designate a Data Protection Officer that must be given sufficient resources.
Analyze the IT environment and begin the change process. A significant part of the preparatory work is to determine how the existing IT environment is affected by the changes. Therefor it’s important to carry through an IT-analysis in order to identify which IT systems and databases manages personal data and where the data is physically stored. One area, in the new regulation, that is particularly important to consider is the system’s compliance with Privacy by Design.
Ensure that time and budget are allocated and begin implementation. Since time is short and there are potentially major changes that need to be implemented within the company, it is important to allocate resources. An implementation includes establishment of procedures and processes, internal framework, IT alignment, legal review as well as new or changed roles and responsibilities.
Get help early in the process. In order to have the time to adapt the business in an effective manner, it’s important to start the process now. FCG has an established expert group in the field who has extensive subject knowledge and broad experience of regulatory adaptation work. Further, FCG has effective methods and procedures to assist companies based on the size, complexity and requirements of each company.
Figure 1: Parts of the data protection framework
How can FCG help
FCG provides services to companies in order to prepare for the regulation, which means adjustments of the specific business based on the changes in the regulation. FCG has established effective methods and approaches to assist you based on the size, complexity and needs within your business. FCG’s offering is comprehensive and the services range from initial GAP-analysis, inventory of IT systems or personal data, to feasibility study, implementation and management of projects.
We have compiled the key changes of the regulation, what actions companies must take and how FCG can assist. To find out more – follow the link to the right.