ADVICE
PREPARING FOR GDPR
enable preventative , corrective and mitigating actions in near real-time - as is specified in the regulation . These are easily deployed and reduce the potential penalties , even if not fully compliant by the deadline .
5 . Waiting to see if the courts to decide that GDPR is legal Surprising but true . This is a risky strategy , but some companies are actually thinking this way . But every organisation that complies with GDPR gains the benefits that come with stronger security - including a reduced risk of top line losses associated with breach-related business disruptions . Additionally , GDPR clearly defines a new minimum for data security and privacy . So , with a clear doctrine and both individual and market wide benefits , GDPR is a good model for modern data security , even if compliance is not mandatory .
6 . Failing to spot the differences GDPR includes a number of items that are not a part of the current Data Protection Directive and may trip you up if you are not looking for them . Here ’ s some of the more significant new requirements : Data Breach Notifications : Controllers and processors are now required to notify supervisory authorities within 72 hours of learning of a breach and to notify the people to whom the data applies ( data subjects ) ‘ without undue delay ’. It should be noted that a breach of encrypted data is specifically excluded from notification requirements and so may factor in to your compliance strategy .
Explicit Consent : GDPR requires that at the time you collect personal data , explicit consent must be given by the data subject . This means that organisations can no longer bury generic consent in a long form full of legalese . Instead , organisations must offer specific information on what data is collected , how the data will be stored and processed and must use clear and plain language . Nothing short of ‘ opt-in ’ will do and it must be as easy to withdraw consent as to give it . Data Transfer out of the EU : Personal data must not leave the EU unless you have
approval from the Supervisory Authority , or where the data subject is informed of the data transfer and associated risks and authorises the transfer .
Data Protection Officer Appointment ( DPO ): If you process data on a large scale then you must appoint , hire , assign or contract with a DPO who is your representative to the Supervisory Authorities who monitor and ensure compliance with the Regulation . He or she is also the contact for any requests or complaints from data subjects , lead your compliance activities and handle communication on security policies , assessments , compliance and requests from data subjects and breach notifications , among others . Per the regulation , the DPO reports to the executive level manager and is a two-year appointment that may be extended .
Find out more about GDPR at : https :// www . watchguard . com / wgrdsolutions / regulatory-compliance / raceto-the-gdpr-finish-line
VERITAS By Jason Tooley , VP Northern Europe
A critical first step to achieving regulatory compliance is to implement a holistic approach to managing data that goes beyond just effectively storing data . With more stringent data governance regulations to deal with , companies need to have complete visibility into data , including what information is stored , how it is used , who owns it , accesses it and how it needs to be treated from a value and compliance perspective . This approach must include the ability to automatically classify large volumes of digital data , scanning and tagging it in a granular , intelligent manner to ensure that information is managed effectively and can be used on-demand .
Under the forthcoming General Data Protection Regulation ( GDPR ), any business that deals with the personal information of EU citizens will need to be able to respond in an efficient and timely manner to the regulatory demands . These go far beyond data minimisation and consent . Supporting the article requirements associated with data breaches and data portability are as important as the ability to respond to Subject Access Requests .
Organisations must implement technologies to support GDPR . With so little time to deliver the IT services to support GDPR , businesses also need to focus on operationalising their technology to support the regulations . Failure to do this will impact on customer service and brand confidence .
Technology aside , instilling a culture of digital compliance and responsibility among employees will prove the ultimate driver for long term change . Our research found that businesses are deploying new processes and policies including training , rewards and updated contracts in support of GDPR compliance . As a result , employees will understand the role they play in protecting their organisation ’ s data . Employees that fail to meet their company ’ s requirements around information governance may find their bonuses and benefits may be negatively impacted .
Companies that understand how to create opportunity from regulatory requirements will benefit significantly with their customers and suppliers . Whether it be through more personalisation and relevance to improve customer service , or through the creation of information-centric business models that offer innovative services and new revenue streams , taking more time to better manage data can be hugely beneficial .
26 www . hotelowner . co . uk April 2018