Calling the General Data Protection Regulation (GDPR) “the biggest upheaval of global privacy law” in a couple of decades, the Information Security Forum (ISF) has released the GDPR Implementation Guide, which offers organizations a two-phase walkthrough to prepare for and implement a GDPR compliance program, ISF Executive Director Steve Durbin told SC Media.
The first phase covers preparing for the regulation, set to take effect May 25, 2018, starting with discovering personal data then determining compliance status and finally defining the parameters of a compliance program.
“The first thing is preparation, organizations understanding their personal data” and that it “really is enterprisewide,” said Durbin, noting that the regulation will have tremendous effect on the wholesale marketing side of a business.
Organizations must then understand how they collect and process data before they talk compliance. “One danger that we run when we talk GDPR compliance is organizations might think” it's a one-time checkbox process, “but it's not,” said Durbin. Rather, it's an ongoing process as companies expand and change their data collection.
GDPR compliance requires changing the “the processes and culture across an organization [as to] how information is used and processed,” he said.
Companies, too, must get a handle on how third-party partners and vendors handle data and comply with GDPR.
The second phase is actual implementation of a GDPR compliance program, which Durbin said will likely bump up individuals' understanding of how their data is collected, protected and used. Consumers likely assumed, for example, that a company like Equifax handled data much better, but got a rude awakening after the company's recent massive breach. That will change with GDPR.
“Individuals will understand much better how to ask about data,” he said, adding that as a result, he expects “much more individual frustration” regarding breach notifications.
Durbin urged companies not to simply view GDPR as a compliance issue but as a launching point for bringing real, positive change to their business operations.
“Data protection and legal compliance should not be perceived solely as a burden. The GDPR provides organizations with an opportunity to move programs beyond risk reviews and data analysis to deliver tangible operational change, thereby securing competitive advantage,” he said in a release. “While every organization should judge the risks and rewards of its own data protection investments, the GDPR offers a unique opportunity to translate necessary compliance actions into tangible business benefit. Leading organizations are structuring GDPR compliance programs to exploit these opportunities and our GDPR Implementation Guide offers a method for doing just that.”
The threat of hefty fines – four percent of annual turnover - and the potential hits to reputation should push even the stragglers to eventually comply, even if it means calling in outside help.
“I don't think anyone wants to be the first one to fall afoul of GDPR,” said Durbin.