Impacts of GDPR across your organization
- Penalties for failing to comply with the basic processing principles of GDPR may subject the organization to fines up to €20 million or 4% of the organization’s total global revenue, whichever is greater.
- Imposes new obligations for both controllers and processors of personal data.
- Places a greater emphasis on accountability requiring greater documentation and records.
- GDPR is not a one-off compliance demonstration and requires a fundamental organizational transformation with regard to data and privacy.
- Data protection impact assessment – This assessment, required for high risk personal data processing activities, can help organizations identify risks and define mitigating actions.
- Data privacy accountabilities – The GDPR states that the controller is responsible for confirming that a firm adheres to the law’s privacy principles.
- Condition for processing – The processing of personal data must rely on a lawful basis as outlined in the GDPR.
- Data protection officer – Firms that conduct large-scale systematic monitoring of EU residents’ data or process large amounts of sensitive personal data must appoint a qualified DPO.
- Privacy by design (PbD) – Organizations are required to establish privacy controls from the outset of product or process development.
- Right to erasure – An individual can request the deletion or removal of personal data when there is no lawful reason for its continued processing.
- Consent – Consent must be freely given and explicit, indicating the individual’s specific agreement to the processing of personal data.
- Data breach notification – Organizations must notify the supervisory authority of a data breach within 72 hours of becoming aware of it.
- Data portability – This allows individuals to move, copy or transfer personal data easily from one organization to another in a secure way for their own purposes.
Implement a privacy risk management framework
Implementing the GDPR should be viewed as an integrated exercise set within each firm’s overall privacy risk management framework. GDPR touches on all aspects of an organization, reaching across people, processes and technology and, as such, establishes a cross-functional team that supports the transformation of the company, which is a critical step for a successful implementation.