Key Changes The GDPR Will Bring To Your Organisation

By Chris Harris, Support Analyst, Marval

The General Data Protection Regulation is coming into force on the 25^th of May 2018 - that’s less than a year. The countdown has begun for organizations all over the globe to comply with the new norm (and avoid any fines). So, what’s new? Here’s some key points you have to consider:

1.       Don’t be off base. It doesn’t matter where you are based, whether your business is physically located in the EU or any other place in the world. If you are collecting, processing or storing personal data of people who are based in the EU, the GDPR applies to you and you have to comply. It’s a global thing and no business can ignore it, really; unless they operate exclusively in their local market, or do not collect their customers’ data.

2.       DPO: A new role is born. The GDPR requires that any organization which systematically or regularly collects and stores personal data, have a Data Protection Officer (DPO); an assigned professional who will be responsible for data safety and protection, as well as for the compliance with the new regulation. The DPO can be an existing employee with extended or upgraded responsibilities, a new hire or an outsource, and they can come from any relevant background, including compliance, legal, IT or marketing. Whatever their previous experience, they will have to work closely with the CIO and any other departments concerned (e.g. marketing) to ensure compliance with the new regulation and that any private or sensitive data is properly protected.

3.       Time matters. 72 hours – that’s all the time you’ve got to report any data breach to the local authorities and any affected customers. The clock will start ticking from the moment you become aware of the breach, and a detailed report (which has to include specific data on the impact of the breach, e.g. the number of stolen records) should reach the local authority in each country whose residents are affected. So, when a breach happens, you have to identify who is affected, how they are affected, where they are located, prepare an analytic report and send it to all local authorities AND any affected customers, within 72 hours (while dealing with the breach itself). Are you stressed already?

4.       Better kept in private. Privacy-by-design becomes a necessity and, if your organization doesn’t have a relevant process already, you really should consider adopting one. You have to make sure that relevant security controls are in place for any new activity, campaign, project or operation that starts in your organization. Simply put, you have to be more proactive than reactive with data protection; and this has to apply across your organization, covering all departments and operations.

5.       Cut it fine. Regardless of the new regulation, protecting your customer’s private data is the right thing to do and would normally be part of any responsible business’ code of conduct. If a business decides not to comply with the GDPR though, there could be fines of up to €20 million or 4% of their global annual turnover for the preceding financial year, whichever is the greater.  The new regulation also introduces a right for affected customers to claim compensation for damages they suffered from any breaches. Is this a risk worth taking?

Compliance with the GDPR requires a new culture around data safety, which will be strictly process-based and reinforced across the organization. Marval MSM, the intelligent IT Service Management platform, integrates specific features and smart updates that help businesses promote the right culture and facilitate the implementation of their new data safety strategy; so they can be more confident and compliant with the new Regulation, and ready to concentrate on providing excellent customer service.