The General Data Protection Regulation will directly affect all companies that are collecting personal data, and with every company doing just that, it will affect all, without exception. CEOs, CIOs, and CTOs should push for alignment with the privacy protection laws and regulations enforced by the GDPR as early as possible or run the risk of missing the deadline.

How can you make sure you’re ready when the law enters into force on May 25th 2018? Firstly, get familiar with the top 10 things to know about the GDPR:

  1. The definition of personal data is becoming broader and includes everything from medical records, financial status, social identity, and more.
  2. All companies, whether within the EU or beyond its borders but doing business in the EU, will have to comply with the General Data Protectin Regulation if they collect personal data of EU citizens.
  3. Collect your data wisely – with the GDPR in place it will be detrimental that you don’t collect and store more then necessary.
  4. Any breach must be reported within 72 hours after a detected data breach.
  5. All companies must collect an affirmative consent from each individual, that allow them to process personal data.
  6. All individuals have “the right to be forgotten.”
  7. Consent is not “for life” and must be repeated.
  8. A data protection officer (DPO) will be needed for many companies and perhaps even mandatory for some.
  9. Get a Data Protection Officer (DPO) in place early as it take up to one year to perform data analytics, culture behavior and process changes for most large organizations.
  10. Finding relevant data is hard. An initial data discovery through automation, followed by a protection impact assessment can help organizations understand the needs for data processing activities.

GDPR compliance affects everyone, across the board.

Even though the GDPR is superficially associated with Europe, US companies need to know about international data transfers subject under EU’s GDPR. When talking to US companies, the immediate reaction that seems to be prevailing is that almost all believe they will not be impacted. They couldn’t be more wrong! Every company doing business with citizens of Europe will be affected. Have you sold a flight ticket to any citizen in Europe that travelled with your airline? Has a European citizen booked their hotel through your website? Do you have a Global Market where you sell and ship merchandise that is ordered by a citizen in Europe? I could go on, but it’s fairly safe to say that 99,99% of business/client transactions will need to adhere to the GDPR. As security breaches become a common occurrence and seem to progressively increase in scale, privacy protection is even more crucial than ever before.

With more than 16 million medical records breached in 2016 in the US alone, the healthcare system needs to start preparing for the GDPR on a global scale, without delay. European citizen travel far and wide, and although they take precaution, some get sick abroad and need to be treated. Their personal data must be protected whether they are in Cuba, Paris or Bali. More than 16,571,490 records were compromised in health care data breaches in the United States last year, according to the Department of Health and Human Services’ Office for Civil Rights (OCR) Tracy Schumaker reported early January 2017.

Our recreational activates will also be covered by the GDPR. A report from Lewis Morgan stated that 1.5 million ESEA records were leaked in a data breach. LeakedSource, a breach notification website, claimed to have obtained a total of 1,503,707 ESEA user records. It claimed the hack emerged after the website’s administrators failed to pay a ransom demand of $50,000.

As described by author Michaela Jucan, there are certain conditions that ensure data is protected. Under the GDPR (Article 44), organizations need to satisfy certain conditions in order to allow data to be transferred outside the European Union. These conditions mirror the Directive’s principles of ensuring adequate data protection:

  •    Data controllers must secure informed consent from the data subject for the transfer and the risks associated with the transfers.
  •    Transfers can be made when they are necessary for the performance or conclusion of a contract.
  •    Transfers can be made when it is necessary on the grounds of public interest, or for the establishment, exercise, or defense of legal claims.
  •    Transfers are permitted if they are necessary to protect the vital interests of the data subject or for the pursuit of the legitimate interests of the data controller/processer.

How Capgemini can help your organization

It’s clear that GDPR will impact all companies, all over the world. It might not be clear how to prepare for it. No matter where you fall on the readiness spectrum, whether you need a few modifications or still have a long way to go, Capgemini designed a portfolio that fits your needs. The Capgemini portfolio considers the most important topics for executives regarding privacy protection and security. It’s divided into four categories that will ensure organizations have a clear reliable path that lead to GDPR compliance:

GDPR Assessment

The assessment is an analysis and recommendations on planning, governance, process, culture, data and technology. The result of the assessment is a list of categorized findings, conclusions and actionable recommendations that aim to prepare for the GDPR. The assessment may be the first step towards implementation of other categories, such as planning, governance, process, culture, data and technology. The assessment may also confirm that all preparations are in place. (duration 2-3w)

GDPR strategic plan

Capgemini can help to include a set of defined action items that employ the use of technology to raise the quality and level of personal data protection within your organization into your strategic GDPR plan. The stakeholders from your organization will be involved in creating a realistic, supported, and actionable plan. Capgemini will facilitate by utilizing its experience with strategic plan development, GDPR readiness capabilities and gained insight into your business and technology solutions. (Duration 2-4w)

GDPR data protection impact assessment

Capgemini will help to assess the GDPR readiness of your IT infrastructure for any type of processing. At the start, a data protection impact assessment scope, governance, questionnaire and tooling are tuned to the specific needs of your organization. To ensure cooperation of all target groups, an awareness campaign on GDPR and data protection is initiated. A selection of relevant information systems is made based on their initial data protection risk. Based on the answers given in the data protection impact assessment tool, the impact of each system is calculated and an overview of gaps, risks and measures is generated. The tool provides a dashboard with gaps for each role, risks scores and mitigating measures which are categorized. Subsequently, a consolidated internal (board) and external (regulator) report can be generated. The results provide the starting point for an improvement plan for the Data Protection Officer. (Time frame dependent on size)

GDPR technology solution

Capgemini can take lead as the project manager, and work with partners to perform the technical implementation of three technology solutions, which are applicable to existing, legacy and new digital systems:

  • Database security options
  • Identity and access management
  • High availability and resilience solutions.

No Data Protection Officer (or DPO), can singlehandedly ensure their CEO, CIO, CMO, that their organization’s customer privacy is protected against fraud. Regular testing will provides more control over privacy and offer better personal data protection,, under the condition that the Board also provides sufficient sponsorship to perform all DPO activities needed to ensure compliance in the area of Cybersecurity. (Time frame dependent on approach). Please find all details about GDPR and if you want to discuss further, please reach out by leaving a comment in form below and I will contact you shortly.