12 reasons GDPR will impact the whole of your business and not just IT

The clock is already ticking towards May 2018 when the EU General Data Protection Regulation (GDPR) comes into force.

Whilst there is increasing awareness of what is needed within the management board, is there a possibility that the responsibility for implementation will simply be delegated to IT again as another piece of technical compliance work to deal with?

If this happens, a major opportunity to create significant business value through more unified and robust data management will be lost, as well as the very real risk that fundamental compliance requirements will not be met.

Here are 12 initial reasons why businesses should make GDPR an enterprise-wide responsibility, strongly led from the top… the management board.

1.  Management Board Accountability

Management boards accountable for breaches of regulations within business, with penalties of up to 4% of last year’s turnover with reputational risk implications.

2.  Business Opportunity

Major opportunity to digitally transform business, enabling it to compete more effectively in the new digital economy.

3.  Enterprise Wide Collaboration

Sheer scope of changes needed across whole business requires robust programme management approach and strong boardroom leadership.

4.  Process Integration

Data protection methods have to be integrated into all business processes, which need to be redesigned to reflect this and associated opportunities.

5.  Privacy Data Management

Must formally record why, who, what, when and where personal data is being processed by business and associated legal basis for doing so.

6.  Third Party Processor Risk

Responsibility for data now extends to all off site processing meaning when data leaves or is shared externally this responsibility remains with the business.

7.  Data Ownership

Regulations relate to data which is ultimately and only owned by the business, so strong data governance is essential.

8.  Cloud Based Application Vulnerabilities 

Significant number of cloud based applications, sometimes used by business driven shadow IT, may not be compliant and will need to be updated.

9.  Cyber Data Breach Obligations

Stricter requirements for protecting business from threat of cyber-attack and need to notify authorities of such breaches within 72 hours.

10. Compliance Accountability

Must be able to demonstrate compliance within the business, with some aspects explicit but others implied.

11. Risk-Based Approach

Businesses have responsibility for assessing degree of risk their processing activities pose to individuals.

12. Independent Data Protection Role

Someone within business has to take responsibility for data protection compliance and if necessary, implement formal Data Protection Officer role which reports directly into highest management level such as management boardroom.

These are just initial 12 reasons why businesses should make GDPR an enterprise-wide responsibility… but what do you think about this, do you agree?

To discuss these challenges further and their relevance to your own business, please contact Robert direct at robert.toogood@data-tight.com to schedule a completely confidential and no-obligation discussion.

PS For those organisations operating out of the UK, the recent Brexit referendum result will unfortunately not affect the need for UK based organisations to comply with GDPR by May 2018… also, the latest indications are that the UK ICO is likely to implement improved data protection and privacy regulations similar in scope to GDPR if the UK proceeds with leaving the EU.

DATA-Tight is a new consultancy service, specifically aimed at helping organisations cope with the increasing amount of complex legislation relating to data protection and privacy.  By leveraging our extensive real-world programme management experience and expertise, our clients benefit from a bespoke advisory service which will help them to comply with the legislation in a more tightly co-ordinated and cost efficient way.