Unprepared for the 2018 GDPR
May 8, 2017
Analysts Identify Five High-Priority Actions for Data Controllers and
Processors Inside and Outside of the European Union
European General Data Protection Regulation (GDPR) will have a global
impact when it goes into effect on May 25, 2018. Gartner predicts that
by the end of 2018, more than 50 percent of companies affected by the
GDPR will not be in full compliance with its requirements.
"The GDPR will affect not only EU-based organizations, but many data
controllers and processors outside the EU as well," said Bart Willemsen,
research director at Gartner. "Threats of hefty fines, as well as the
increasingly empowered position of individual data subjects tilt the
business case for compliance and should cause decision makers to
re-evaluate measures to safely process personal data.
The GDPR replaces the Data Protection Directive 95/46/EC and is designed
to support the single market, to harmonize data privacy laws across
Europe, to protect and empower European Union (EU) citizens' data
privacy and reshape the way organizations approach data privacy for EU
citizens wherever they work in the world.
Gartner recommends organizations act now to ensure they are in
compliance when the regulation goes into effect. They should focus on
five high-priority changes to help them to get up to speed with GDPR
1. Determine Your Role Under the GDPR
Any organization that decides on why and how personal data is processed
is essentially a "data controller." The GDPR applies therefore to not
only businesses in the European Union, but also to all organizations
outside the EU processing personal data for the offering of goods and
services to the EU, or monitoring the behavior of data subjects within
the EU. These organizations should appoint a representative to act as a
contact point for the data protection authority (DPA) and data subjects.
2. Appoint a Data Protection Officer
Many organizations are required to appoint a data protection officer (DPO).
This is especially important when the organization is a public body, is
processing operations requiring regular and systematic monitoring, or
has large-scale processing activities. "Large scale" does not
necessarily mean hundreds of thousands of data subjects.
3. Demonstrate Accountability in All Processing Activities
Very few organizations have identified every single process where
personal data is involved. Going forward, purpose limitation, data
quality and data relevance should be decided on when starting a new
processing activity as this will help to maintain compliance in future
personal data processing activities. Organizations must demonstrate an
accountable ground posture and transparency in all decisions regarding
personal data processing activities. Outside parties must also comply
with relevant requirements that can impact supply, change management and
procurement processes. It is important to note that accountability under
the GDPR requires proper data subject consent acquisition and
registration. Prechecked boxes and implied consent will be largely in
the past. A clear and express action is needed that will require
organizations to implement streamlined techniques to obtain and document
consent and consent withdrawal.
4. Check Cross-Border Data Flows
transfers to any of the 28 EU member states* are still allowed, as well
as to Norway, Liechtenstein and Iceland. Transfers to any of the other
11 countries** the European Commission (EC) deemed to have an "adequate"
level of protection are also still possible. Outside of these areas,
appropriate safeguards such as Binding Corporate Rules (BCRs) and
standard contractual clauses (i.e., EU "Model Contracts") should be
used. EU-based data controllers should pay specific attention to new
mechanisms under the GDPR when selecting or evaluating data processors
outside the EU and ensure appropriate controls are in place. Outside of
the EU, organizations processing personal data on EU residents should
select the appropriate mechanism to ensure compliance with the GDPR.
5. Prepare for Data Subjects Exercising Their Rights
Data subjects have extended rights under the GDPR. These include the
right to be forgotten, to data portability and to be informed (e.g., in
case of a data breach). If a business is not yet prepared to adequately
handle data breach incidents and subjects exercising their rights, now
is the time to start implementing additional controls.