Up until now, organisations have not addressed their data protection and privacy vulnerabilities in a consistent way. However, the arrival of the EU’s new General Data Protection Regulation (GDPR) places a much higher importance on visibly protecting confidential information, significantly greater requirements that need to be met and much stricter penalties should an organisation experience a breach. Putting the reputational impact of any breach to one side, organisations will face fines of up to 4% of global gross turnover or €20 million – whichever is greater.
To respond to these changes effectively, organisations need to assess their current position and how ready they are to meet the new regulation. Given the complexities and lack of information about where and how data is held, this may not be straightforward. This should be followed up by a detailed GDPR gap analysis to identify specific areas of non-compliance. More detail can then be drawn out in a specific privacy impact assessment which should then allow organisations to be clear about the action they need to take when it comes to governance, processes organisational structures and technical requirements.
It is clear the GDPR is already on Board agendas, but what many have not yet grasped is its full implications and the way it will expose wider weaknesses in current data management. We worked with one company that found that 65% of its third party suppliers were not meeting their security requirements – and such failures are likely to be common. This underlines how the GDPR will raise the stakes and how organisations need to focus on securing the support and skills they need to address its challenges. The GDPR – with its new requirements and penalties – is a game-changer for data protection.