RiskTech Forum

Mega: How clear is your GDPR view?

Posted: 1 November 2017  |  Author: Leah Tucker

The General Data Protection Regulation (GDPR) goes into effect May 25, 2018 yet, in a recent Pulse survey1 by PwC, 36% of the 300 companies surveyed reported that they have only just started the initial assessment process.  The requirements of the GDPR are extensive however, and business complexities will pose many challenges to the assessment, as well as implementation and management of compliance initiatives. Establishing shared accountability, managing increased regulatory scope and prioritizing initiatives are a few, but the single biggest challenge may well be gaining the organizational visibility needed to achieve GDPR compliance.

Few companies have complete visibility into their data, let alone their business processes, and the GDPR requires both. And, with the rate of change in businesses today, visibility will be a critical factor as their business evolves. With potential fines of €10-20M, or 4% of gross annual revenue, companies must seek a clear perspective – the risk of non-compliance is simply too costly.

Visibility will provide insight to how and why personal data is collected and processed. Collecting data without a sufficient business justification is not allowed under the new regulation. Further, what constitutes personal data has changed with the General Data Protection Regulation; data not considered personal before may now be if it can identify a data subject when processed with other related data. The right perspective will expose unneeded and hidden personal data and, without that line of sight, companies will undoubtedly miss something.

Companies can gain this visibility with an initial assessment. This assessment will extend outside IT as GDPR is a business initiative, not solved solely by IT. Establishing an inventory of data and identifying personal data and business processes that utilize it are all critical steps in this assessment and will require cross-functional input to be complete. Doing so centrally, so that the data can be leveraged by key stakeholders to manage ongoing compliance, is essential also.

A unified catalog of data processing activities, where people, processes and technology are visible, enables companies to identify immediate GDPR compliance gaps. Further, it can also be used to perform impact analysis, model new processes and support security-by-design and by-default efforts, two additional requirements of the GDPR.

Given the complexities of the regulation, and the ambiguity of how to meet the requirements, MEGA has partnered with Gruppo Imperiali, a company that provides expert legal and technical consulting services to multi-national companies, and has specialized in data protection for more than 30 years. Together, they designed a 6-step methodology to help companies assess, remediate and demonstrate GDPR compliance.

In today's fast-paced and continually changing businesses, implementing strong data privacy programs can lead to a competitive market advantage. In fact, the same Pulse “survey found that some companies see their GDPR programs as a potential differentiator in the market.” To learn more about our 6-step process, and begin your initial assessment, download our white paper, "6 Steps to GDPR Compliance-by-Design: Accelerate Your Journey to GDPR Compliance".

1 - Pulse Survey: GDPR budgets top $10 million for 40% of surveyed companies, PwC