The General Data Protection Regulation (GDPR) triggers the most significant changes to EU data privacy regulation in 20 years. It aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. It replaces the 1995 EU Data Protection Directive and was designed to harmonize data privacy laws across Europe to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. It expands on the rights of data subjects such as, breach notification in less than 72 hours, right to access, right to be forgotten, data portability, privacy by design, and mandatory deployment of Data Protection Officers (DPOs).
- Who is regulated: Every EU-based “controller” or “processor” of personal data is regulated, as is every controller based outside the EU that targets goods or services, or profiles, at people living in the EU. There is an increased territorial scope – applies to all companies processing the personal data of data subjects residing in the Union
- What constitutes personal data: Any information related to a natural person or “Data Subject,” which can be used directly or indirectly to identify a person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
- Important Dates: Regulation came into effect April 2016; Enforcement date set for 25th May 2018.
- Penalties for Lack of Compliance: Regulators have warned that fines for non-compliance may reach as high as 4% of worldwide revenue or €20M, whichever is higher
- Impact on US firms: Ninety-two percent of U.S. multinational companies cited compliance with the General Data Protection Regulation (GDPR) as a top data protection priority. Sixty-eight percent are earmarking between $1 million and $10 million on GDPR readiness and compliance efforts, while 9 percent of those companies are expecting to spend over $10 million.
How Knowledgent Can Help
The most critical first step is to perform a readiness assessment. Knowledgent will utilize interviews, collaboration workshops and design sessions to capture the required information and assess the current state and perceived gaps for GDPR Compliance. Knowledgent will synthesize outputs of the discovery into action plans which will inform the executable roadmap.
Roadmap will include recommendations for alignment of People, Process and Technology across Discover, Security and Governance components. There are various potential tools such as Global IDs and Collibra which could be part of the technology aspect of the roadmap. Activities will be defined along the following dimensions: Compliance and delivery risks, resourcing required, level of effort and implementation estimates and milestones
Knowledgent understands and has experience interpreting the GDPR regulation and “right-sizing” it for our clients, and has deep expertise in data governance management, all within an industry context. We bring assets and accelerators to enhance discovery and execution roadmap creation.