Calculated risk: ‘Very few’ organizations will be ready for GDPR
The clock is ticking for business owners who still need to reassess their data protection policies.
Following years of preparation and debate, the General Data Protection Regulation (GDPR) comes into effect on May 25, heralding sweeping changes for the Europe Union’s data protection laws.
The aim of the GDPR is to protect those residing in the EU from privacy breaches in an increasingly data-driven world through the implementation of tighter data processing rules, strengthened conditions of consumer consent, and the promise of hefty penalties for non-compliant organizations.
Despite the fact that businesses found to be in breach of the GDPR could be fined up to 4% of annual global turnover, or €20 million (whichever is greater), Tim Clements, a Copenhagen-based GRC and privacy program manager, said many organizations still need to reassess their data protection strategies.
Speaking during a webcast hosted by the Information Systems Audit and Control Association (ISACA) yesterday, Clements said: “I think the overwhelming response is that very few will actually be ready or compliant.”
The time is now
During his presentation to ISACA members yesterday, Clements discussed the importance of corporate data protection strategy and the different parameters organizations might want to take into account when creating a framework that adheres to the forthcoming GDPR.
These parameters, Clements said, fall into three distinct categories: a compliance-based strategy, an ethics-based strategy, and a risk-based strategy – the latter of which could be built around the many abstract phrases (such as ‘appropriate’ and ‘adequate’) that are dotted around the GDPR document.
“In my mind, this is where [the GDPR] allows organizations to take a more risk-based strategy, and one which takes into account the nature of your business,” Clements explained.
“In taking a risk-based strategy, I think the main thing that organizations need to do is understand what their risks are, and tackle those key risks [in their] approach.”
‘Tsunami of change‘
The GDPR has been heralded as the most important change to the EU’s data privacy regulation in 20 years.
However, as organizations look to bring their own policies in line with the new laws, Clements said they will have to work under a number of assumptions.
“The Article 29 Working Party is feeding clarification and helping organizations interpret key areas of the regulation,” he said. “But, currently, we don’t know everything.”
“Organizations will need to make some assumptions in order to move forward with their programs. Or course, those assumptions may be valid, or you may get to a point where you find the assumption you made is not valid and you need to change direction.”
Despite the muddy nature of certain elements of the GDPR, Clements said data protection should always be at the forefront of business operations, and that enterprises should strive to keep their strategy relevant, particularly amid the “tsunami of change” that is taking place across the regulatory landscape.
“[This strategy] forms the basis of the data protection work that your organization will be doing,” he said. “And it takes into account, among other things, who your organization is accountable to; the nature of your business; and your organization’s business strategy.”
“Once you have that strategy, the key is to keep it relevant. I think this is an area where some organizations have a lot to learn, because although they produce a strategy, it then gets stored away, gathers dust, and becomes irrelevant.”