GDPR: Who Needs To Know And What They Need To Do
It’s beyond debate that data is one of a company’s most valuable resources. The total revenue from online advertising in 2014, for example, reached US $49.5 billion, the majority of which is based on users’ personal and demographic information to show more relevant messages. The direction of travel since then has only been in one direction.
The European Union’s new law, the General Data Protection Regulation (GDPR), focuses on controlling the use of individual persons’ private information and ensuring that it can be protected. If your company violates the regulation, you could face penalties of as much as 4% of your annual global revenue or €20 million, depending on the details and severity of the violation.
To avoid incurring substantial fines, businesses need to plan well in advance on how to deal with the requirements of GDPR. Although the details may vary from one organization to the next, the roles and perspectives listed below are some of the most important for your company to take into account.
CEO and board of directors
These people will mainly be interested in GDPR’s impact on their business processes. This means performing a top-to-bottom review of the relevant personal data that you handle.
CEOs and the board of directors may also want to understand the cost-effectiveness of their data strategy. Are you collecting and access more personal data than necessary? If so, check into reducing this amount. Continuing to accumulate silos of unused and potentially toxic data increases the need for encryption, and therefore will require more investment.
Chief compliance officer (CCO) and chief risk officer (CRO)
The CCO and CRO will focus on articles five and six of GDPR, which define the concepts of “lawful processing” and “accountability.” It remains up to the CCO to demonstrate your company’s compliance by introducing clear company-wide data protection and privacy policies, so that you can respond quickly and with agility to potential breaches.
In addition, the CRO should establish an accountability framework by adding documentation of current risks and controls into the existing internal controls system. This may consist of taking a risk-based approach by assessing the “likelihood and severity of risk” of personal data processing operations.
According to the UK-accountancy firm BDO: “The expectation is that data privacy governance will be strengthened with more robust reporting to Board level and stronger control structures established to ensure the organisation, its employees and third parties are aware of their respective obligations under the GDPR and other data protection legislation… Robust procedures for detecting, reporting, and investigating data breaches need to be established to meet the GDPR requirements.”
Data protection officer (DPO)
Most businesses that market goods or services to customers within the EU and collect their personal data must appoint a data protection officer (DPO). DPOs work on behalf of customers and their privacy, which means that they might often have recommendations that are contrary to the ideas of other data-driven roles.
Data protection officers have a number of jobs to do as the GDPR approaches, including conducting internal data protection assessments to ensure that all matters of data compliance are up-to-date. They should serve as expert advisors to the highest level of management about their obligations under the new law, with advanced knowledge of how to carry out data protection.
It might be work investing in some external assessments like we do with security in the form of “pen tests.”
Chief information officer (CIO) and chief information security officer (CISO)
These roles generally deal with keeping a company’s data safe and making sure that it is being exploited to improve business functions and processes. To prepare for the GDPR, CISOs will:
- Define your GDPR requirements in your company’s overall security strategy
- Take responsibility for cybersecurity, including monitoring access to personal data and data breach reporting
- Limit the access of personal data to authorized employees
Meanwhile, CIOs will typically focus on fulfilling data subjects’ new rights, laid out in article three of the GDPR. These include:
- The right to provide and revoke consent for processing personal data
- The right to correct, export and transfer information
- The right to be forgotten
The CIO does need to have a plan to fully understand where data is stored and which applications and services use it in order to execute on the obligations above.
Regardless of titles and roles, organizations adhering to the GDPR must establish comprehensive programs to address these key areas of data protection. The more automated these programs are, and the more they’re integrated with existing business applications and audit and compliance tools, the more effective and cost-efficient they will be.