Last month, the EU General Data Protection Regulation (GDPR) was approved, entering a two-year transition period during which member states and organisations handling European residents’ personal data will need to adopt the new requirements.
The Regulation introduces tough penalties for non-compliance, with breached organisations facing fines of up to 4% of annual global turnover or €20 million – whichever is greater.
As the Regulation promises to take its toll on IT teams by mandating the revision and implementation of new processes and procedures in order to achieve compliance, we take a look at some key requirements IT departments need to consider.
IT interaction with Cloud service providers
Currently, the main challenge IT departments have with Cloud service providers is controlling access to their data. In future, organisations will no longer be able to rely on third parties to safely store or process their consumer data sets on the basis of ordinary assurances. IT departments will need to ensure that Cloud vendors storing, securing and processing data have achieved compliance with the GDPR’s new and stringent requirements.
Internal IT challenges
A major burden for IT departments is finding the right talent to achieve compliance with the EU GDPR. The new Regulation mandates that organisations processing high volumes of personal data hire, contract or appoint an independent data protection officer (DPO). The requirement for the data protection officer is to have a good understanding of both the technical controls needed and the legal requirements of the new regulation. Data protection officers are also required to establish good communications with senior management teams or decision-makers within the organisations to make sure they understand what is required to meet the EU GDPR requirements.
To fulfil the role of data protection officer (DPO) under the GDPR, and to get an in-depth understanding of the regulation, book a place on IT Governance’s Certified EU GDPR Practitioner training course >>
The course is designed to equip data protection officers with a comprehensive understanding of the implementation requirements, necessary policies and processes, and important elements to consider for effective data security management.
Data breach reporting responsibilities
In the event of a personal data breach, the Regulation requires organisations to notify the authorities within 72 hours of becoming aware of the exposure. As a result, IT departments will have to take a proactive approach in preventing and reporting data breaches. It’s important for IT teams to have an effective cyber incident response management plan in place for a fast and comprehensive response to a data breach.
To find out more about IT Governance’s Cyber incident response management service, click here >>
To address the data privacy challenges imposed by the stringent Regulation, IT teams will be required to conduct gap analyses or carry out in-house evaluations of their data protection processes and policies. To support these activities, organisations can take advantage of pre-prepared documentation toolkits.
Documentation toolkits can reduce the burden of developing the necessary documents to achieve legal compliance because they contain a full set of policies and procedures to enable organisations to comply with the EU GDPR.