GDPR is a marathon not a sprint

With all the hype about May 25, many organisations are seeing the date as a GDPR deadline. But it’s not. The implementation date is the starting line for ongoing compliance with the EU’s new data privacy regulation. From this date forward, organisations are expected to be able to show they have systems in place that will continue to meet GDPR compliance

Holistic vs prescriptive

Unlike previous data regulations, which were rigid and could be met by ticking off software and policy requirements, the General Data Protection Regulation is a holistic approach to personal data security and requires re-evaluating systems so they are particular to each organisation’s compliance efforts.

The GDPR requires us to build our systems so that we achieve operational compliance while going about everyday exercises. To achieve this, we need to undertake risk assessments to reveal the gaps in our systems, create policies to address these risks, and then implement systems to match our policies.

Continuous compliance monitoring

Instead of a static compliance effort that can be pulled off as a one and done exercise, GDPR compliance is a never ending journey of compliance monitoring. It’s an opportunity for us to show that we’re accountable in our collection, storage and processing of personal data going forward.

Organisations need to have systems in place to be able to respond to a data breach within 72 hours, and field data subject access requests within 30 days. Failures to respond in the appropriate time frames can cause trigger events that might result in sanctions. And the fines are huge: up to 4% of annual global turnover or €20 million, whichever is greater.

Technology plus risk analysis

From an IT security standpoint, organisations need to ask if they’re still focused on technology alone or beginning to look at the effects of the technology and its impact across the organisation, as well as what that means from a risk perspective.

Some frameworks such as ISO 27001 can help you work out where you do or don’t comply in terms of IT security, but you also need to put processes in place to ensure you can respond to the ongoing GDPR compliance issues. A framework like GDPR365 is an example of a system that can help you do that.