Calling the General Data Protection Regulation (GDPR) “the biggest upheaval of global privacy law” in a couple of decades, the Information Security Forum (ISF) has released the GDPR Implementation Guide, which offers organisations a two-phase walkthrough to prepare for and implement a GDPR compliance programme, ISF executive director Steve Durbin told SC Media.
The first phase covers preparing for the regulation, set to take effect 25 May, 2018, starting with discovering personal data then determining compliance status and finally defining the parameters of a compliance programme.
“The first thing is preparation, organisations understanding their personal data” and that it “really is enterprisewide,” said Durbin, noting that the regulation will have tremendous effect on the wholesale marketing side of a business.
Organisations must then understand how they collect and process data before they talk compliance. “One danger that we run when we talk GDPR compliance is organisations might think” it's a one-time checkbox process, “but it's not,” said Durbin. Rather, it's an ongoing process as companies expand and change their data collection.
GDPR compliance requires changing the “the processes and culture across an organisation [as to] how information is used and processed,” he said.
Companies, too, must get a handle on how third-party partners and vendors handle data and comply with GDPR.
The second phase is actual implementation of a GDPR compliance program, which Durbin said will likely bump up individuals' understanding of how their data is collected, protected and used. Consumers likely assumed, for example, that a company like Equifax handled data much better, but got a rude awakening after the company's recent massive breach. That will change with GDPR.
“Individuals will understand much better how to ask about data,” he said, adding that as a result, he expects “much more individual frustration” regarding breach notifications.
Durbin urged companies not to simply view GDPR as a compliance issue but as a launching point for bringing real, positive change to their business operations.
“Data protection and legal compliance should not be perceived solely as a burden. The GDPR provides organisations with an opportunity to move programmes beyond risk reviews and data analysis to deliver tangible operational change, thereby securing competitive advantage,” he said in a release. “While every organisation should judge the risks and rewards of its own data protection investments, the GDPR offers a unique opportunity to translate necessary compliance actions into tangible business benefit. Leading organisations are structuring GDPR compliance programmes to exploit these opportunities and our GDPR Implementation Guide offers a method for doing just that.”
The threat of hefty fines – four percent of annual turnover - and the potential hits to reputation should push even the stragglers to eventually comply, even if it means calling in outside help.
“I don't think anyone wants to be the first one to fall afoul of GDPR,” said Durbin.