What is GDPR?
It stands for General Data Protection Regulation. It is a European regulation that will be enforced on 25 May 2018. In essence, it amounts to an enormous tightening and extension of the privacy legislation. This was necessary in order to respond to the new risks that digitization entailed.
What are the new challenges?
It are mainly the duties of the controller which are new, the rights of the citizen (natural person) already existed in previous European privacy legislation. It demands a lot of demands on your organization:
If your data processing and storage involve (high) risks, you must perform a DPIA (data protection impact assessment) and possibly even appoint someone as DPO (data protection officer).
When designing your services and products, you must apply the concept of “privacy by design” and “privacy by default” from the start. This means that from the basis of your processes, products and service development, you must prioritize privacy aspects as need-to-have.
You will need to have a documented internal policy or service level agreement and submit it on request of the authorities. You must also have a data breach procedure and be able to notice and indicate leaks within 72 hours.
In short, there are many challenges and it is not easy to efficiently map, tackle and manage them in a sustainable way without support.
Who is it applicable to?
GDPR applies to every organization, large or small, that keeps personal data about natural persons. When it comes to sensitive information, the obligations weigh heavier. Therefor many companies underestimate the scope of GDPR. Especially about the meaning of sensitive data is often insufficient knowledge available.
In addition, many medium-sized and smaller companies do not feel addressed - which is wrong. The rules are for everyone, from SME to multinational
Who should be working on it?
GDPR is not a matter for the CIO alone. GDPR is also of interest for the Chief Legal Officer because it is a matter of internal compliance with legal consequences.
GDPR is also on the agenda of the CFO because there are extreme financial consequences up to 20 million Euro fine, if one does not comply with the rules.
GDPR is also a critical point of attention for the CEO because he is ultimately responsible for non-conformities
In short, GDPR is a shared responsibility over the departments and roles
How do you proceed?
Many checklists and step-by-step plans circulate to comply with the GDPR rules. But these often place the responsibility with one party in the company, namely IT. However, GDPR is something that affects the entire organization therefor a successful, cost and time-efficient approach that remains feasible in the future should be coordinated company-wide.
Moreover, GDPR is a complex fact that cannot be put in a 10-step generic to do list, but requires a tailor-made approach with an eye for the company culture.
This is why Xedis proposes the GDPR Compliance Navigator which focuses on the gap between As Is and To Be.
What does our navigator look like?
The Xedis GDPR Compliance Navigator is a tailored service that will take around five days;
Identifies and describes the internal stakeholders and their roles;
Identifies your privacy and data management challenges through a materiality analysis;
Offers a customized roadmap to achieve GDPR compliancy;
Provides a proven change and project management method to anchor the compliance
We make the difference because we see GDPR compliance and monitoring in your organization from a governance perspective and as a shared responsibility between business and IT.
This approach is in line with the core activity of our advice for companies, namely harmonizing IT and business delivery from the approach of process and organization optimization. We pay a lot of attention to internal change, communication flows and governance aspects.
We offer this service in a package that is budgeted on a flat-rate basis.
Afterwards you can quickly, purposefully and efficiently take the right steps to enable sustainable GDPR compliance. In order to properly assess and manage the risks, GDPR is actually a shared responsibility that is tackled from a project management approach.
Xedis can further support you as well as:
Interim DPO (Data Protection Officer)
We can manage the implementation of the action plan so that you can continue to focus on your core business without any worries.