Jewellery Focus April 2018 | Page 27

FEATURE
4 Getting wrapped up in the
complexity of compliance and
missing the simple fixes.
Some organisations get right
into the Data Protection Impact
Assessments (DPIAs) and working
with new Data Protection Officers
(DPOs) with cross-functional
teams, even before they fully
understand the regulation. This
can lead to delays and frustration,
and cause organisations to
consume all the time remaining
on research and failed compliance
efforts. Instead, while the impact
analysis is underway, take time to
implement the simpler upgrades
April 2018 | jewelleryfocus.co.uk
that almost everyone needs to
become compliant. For example,
an upgrade to network security
is almost always warranted.
These are the solutions that
provide
organisations
with
‘situational
awareness’
and
enable preventative, corrective
and mitigating actions in near
real-time - as is specified in the
regulation. These are easily
deployed and reduce the potential
penalties, even if not fully
compliant by the deadline.
5 Waiting to see if the courts to
decide that GDPR is legal
Surprising but true. This is a risky
strategy, but some companies
are actually thinking this way.
But every organisation that
complies with GDPR gains the
benefits that come with stronger
security - including a reduced
risk of top line losses associated
with breach-related business
disruptions. Additionally, GDPR
‘‘
GDPR includes
a number of
items that
are not a
part of the
current Data
Protection
Directive and
may trip you
up if you are
not looking for
them
‘‘
estimated that they would
become compliant within seven
months, on average, and only
10% said that they were already
fully-compliant. Businesses just
beginning a compliance project
cannot afford to waste time and
should look for help to accelerate
the process.
clearly defines a new minimum
for data security and privacy.
So, with a clear doctrine and
both individual and market wide
benefits, GDPR is a good model
for modern data security, even if
compliance is not mandatory.
6 Failing to spot the differences
GDPR includes a number of items
that are not a part of the current
Data Protection Directive and may
trip you up if you are not looking
for them. Here’s some of the more
significant new requirements:
Data
Breach
Notifications:
Controllers and processors are
now required to notify supervisory
authorities within 72 hours of
learning of a breach and to notify
the people to whom the data applies
(data subjects) ‘without undue delay’.
It should be noted that a breach of
encrypted data is specifically excluded
from notification requirements
and so may factor in to your
compliance strategy.
JEWELLERY FOCUS
27