The General Data Protection Regulation (GDPR) will become effective on 25 May 2018, but IT leaders of organizations required to be compliant on that date may not yet be (fully) aware of its consequences. The scope and definition of what is considered personal information expand, while regulation on how to process it, contracts, and the need to demonstrate accountability requires thorough documentation and reporting. Significant fines introduced by the GDPR cause decision makers to re-evaluate measures to safely process personal data. Considering the short preparation period and the wide area of changes resulting from the GDPR, they are unsure where to start first.
All IT leaders involved in security, risk and privacy management should:
1. Ensure that a data protection officer (DPO) is appointed, and create a task force to address the challenges the organization faces under the GDPR.
2. Review personal data processing operations for subject rights enforcement and cross-border data flow compliance, including adequate data processor selection.
3. Establish and maintain an internal framework for accountability, taking into account mitigation of risk resulting from the data processing activity.
4. Strengthen transparency by instituting comprehensive central business registration and documentation of data processing activities.
5. Seek legal advice, where necessary, in the pursuit of risk-based timely compliance decisions.