2018 stood as the year for GDPR (General Data Protection Regulation). The regulation came into full force on the 25th May overturning compliance procedures and resulted in an influx in last minute policy emails. But GDPR in 2019 is not any less relevant and if anything compliance has become more important. Whilst supervisory authorities are recovering from the rush of complaints they received when the regulation took effect, we also expect to see investigations being conducted more regularly and fines being issued to those not complying, as demonstrated by Google’s recent record €50 million fine. This high profile example is one reason why organisations must step up their compliance efforts because it is clear that regulators are paying attention and the potential penalties are substantial. So what are some of the challenges of GDPR and how can organisation overcome them?
A recent report conducted by IT Governance surveyed 250 professionals worldwide to identify the level of awareness that organisations, employees, and management have of GDPR. The survey revealed that 61% identified that having the right level of competence and expertise is one of the biggest GDPR challenges for implementers; in addition, it showed that 52.7% rely on other practitioners to achieve compliance.
Since the introduction of GDPR, some proactive organisations have been making use of approved certifications, like ISO 27001 to ensure compliance. With its risk-based approach to information security, ISO 27001 provides an effective means of demonstrating compliance with the information security requirements of GDPR. The fact that it is also the default management system for protecting organisations against cyber crime doubles its benefit. While cyber crime is not directly addressed in the regulation, it is an increasingly common cause of data breaches.
A key change to come from the GDPR legislation is the demand for the appointment of a Data Protection Officer (DPO) being mandatory for all public authorities and many private organisations. A further study from IT Governance revealed that out of the total number of respondents required to appoint a DPO, 84.20% indicated that they had identified or appointed one. These positive results suggest that while DPOs might not yet be active in their roles, the majority of organisations have made significant progress in taking measures to ensure compliance.
The guidance from data protection authorities emphasises the importance of making all staff aware of the regulation and for organisations to factor this into their compliance planning. Fundamentally, organisations need to know what personal data they currently hold or process, understand the risks to that data, adapt their business processes and infrastructure, implement tools and compliance processes, and change the way they collaborate with suppliers.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus