With the European Union’s General Data Protection Regulation due to come into force on May 25, 2018, adopting a number of best practices can help organizations prepare for this brave new world.
The General Data Protection Regulation (GDPR) represents the most important change in the European Union’s (EU) data privacy regulations in the last 20 years. The aim of GDPR is to protect EU citizens and residents regarding the processing of personal data and the free movement of such data, and applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. Under GDPR, organizations in breach can be fined up to 4% of their annual global turnover or €20 million—whichever is greater.
Enforceable from May 25, 2018, business leaders should be proactive in asking questions such as:
- How do we monitor and evaluate changes in the regulatory environment after GDPR?
- What is the impact of GDPR on our strategy and risk management practices?
- Do we have appropriate mechanisms in place to provide timely feedback on progress against GDPR risk factors that could alter our strategy?
Although most organizations have already started various GDPR projects in some form or another—including data discovery, inventory, minimization, anonymization, records’ management, breach management and clause review—there are several best practices organizations can adopt to help them prepare for the regulatory changes:
- Leverage a top-down approach—considering the huge financial impact of any breach of GDPR, organizations need to leverage an enterprise approach. Entity-level controls relevant to the new regulations will enable management to direct, control, review, measure and monitor progress on regular basis. GDPR risk should also be included in an organization’s enterprise risk management framework for effective and continuous risk review.
- Identify relevant principles—building a list of principles mentioned in various best practices, standards and frameworks applicable to regulatory changes will enable organizations to implement the most appropriate principles for their organization’s environment and domain.
- Adopt COSO ERM (2017)—principle 15 of COSO ERM (2017) states that organizations must identify and assess changes that may substantially affect their strategy and business objectives. As such, it is vital that organizations dealing with the data of EU citizens should consider GDPR risk in both their strategy-setting process and in driving performance.
- Implement COBIT 5—with most organizations supported in some shape or form by IT, ISACA’s COBIT 5 framework enables organizations to identify and monitor changes in local and international laws, regulations and other external requirements from an IT perspective. Implementing this framework will help organizations to comply with GDPR, including the identification, implementation and monitoring of GDPR requirements through review and adjust policies, principles, standards, procedures and methodologies.
- Execute 2013 COSO Internal Control—Integrated Framework—this framework states that organizations should analyze internal and external factors to identify the risk and impact on achieving their objectives. It also states that an organization should assess changes in the external environment and that the risk identification process should consider changes to the regulatory, economic, and physical environment in which the entity operates.
- Scope ISO certification—ISO 27001 states that organizations should determine the external and internal issues relevant to its purpose and that affect its ability to achieve the intended outcomes of its information security management system. To this end, an organization should look to update and obtain ISO certification in the context of GDPR.
Considering these principles and best practices will help your organization continue effective and efficient implementation of a GDPR compliance program well in advance of the May deadline.
To learn more about how our governance, risk management and compliance (GRC) services can assess your GDPR compliance and help save time and money for your clients, contact: firstname.lastname@example.org
Click here to learn more about how Capgemini’s GDPR portfolio can enhance your reputation and deliver real business value.