GDPR is the European General Data Protection Regulation 2016 which becomes effective in May 2018:
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
What does this mean?
The objective of this new set of rules is to give citizens back control of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.
Varied State of Readiness
Preparation and compliance to GDPR dominated discussion at the International Association of Privacy Professionals (IAPP) ‘Data Protection Intensive’ held in London in March 2017.
It was very apparent that there is a range of “readiness” across organisations. Not just European companies but also companies outside Europe which process European personal data. Whilst Regulated industries may be slightly ahead in preparation they too do not have all the answers to what is required.
Guidance from Europe and Supervisory Authorities is starting to appear. The EU Article 29 Working Party (an advisory body which provides guidance on EU data protection law) has published Guidelines on Data Portability, Data Protection Officers and the Lead Supervisory Authorities. Their latest Guideline on Data Protection Impact Assessments was available for public consultation and feedback which closed in May – publication of this adopted Guideline is now awaited. The Guidelines are available here.
So what should companies be doing?
In order to comply with GDPR a company needs to know what personal data it is processing as well as how and where.
A first step is to investigate into the far recesses of your operations, map the flow of personal data and establish a detailed report on the activity.
Next, you should undertake a gap analysis comparison of what you do today with anticipated GDPR requirements. This will form the basis of your Action Plan. Although, please note, the analysis will have to be adaptable as more guidance on the GDPR becomes available. A risk based approach is sensible to evaluate what is essential and then determine what can be achieved within a realistic timeframe.
Finally, implement the plan!
It is predicted by May 2018 companies will be in various stages of readiness or compliance with GDPR. We encourage all our customers and associates to get ahead of the curve.
For more content like this, please leave your comments below.