Descending the mountain: Staying vigilant with data privacy regulations

  • Posted on May 3, 2018
  • Estimated reading time 3 minutes

In some ways, adopting the new European Union General Data Protection Regulation (GDPR) is like climbing Mount Everest. Success is not measured in reaching the milestone, but in what happens afterwards. For climbers, success is more than reaching the summit; it’s surviving the descent and making it back to base camp alive. For security and data privacy professionals, success is more than preparation for the May 25, 2018 enforcement date of GDPR – it’s the ongoing vigilance in making sure their organization remains ready for compliance with the new rules and regulations.

Preparation for GDPR is an extensive process, ideally carried out by a team of security, data privacy and legal practitioners. Consulting firms like Avanade are available to assess an organization’s readiness for the new rules and requirements under GDPR. You may wish to read the various posts on GDPR preparation, published on our Avanade Insights blog.

No matter where your organization is located – within the EU or not – it must comply with the GDPR if it collects, processes, shares or stores personal data that identifies “EU data subjects.” This includes both personal data, such as names, physical addresses, age, gender, phone numbers, email addresses, etc. of any citizen or resident, as well as any “special category of personal data,” including racial or ethnic origin, biometrics data, disability, sexual orientation, genetic information, etc.

How to stay compliant

To remain compliant is very similar to the initial setup of a GDPR program:

  • Data inventory: This includes up-to-date documentation of all systems and processes that are impacted by GDPR, such as any personal data from EU data subjects that the enterprise currently has, where it is located, and with whom it might be shared or processed.
  • Prepare for a potential data breach: When a breach is likely to result in a risk to the rights and freedoms of natural persons, organizations, as data controllers, are required to report a data breach no later than 72 hours after becoming aware of it or be prepared to provide the reasons for any delay.
  • Training: Ensure that you provide training of all new employees during onboarding on the key components of a data privacy program and make sure they understand their role in the program.
  • Make sure all EU data subjects understand their “absolute rights” over their personal data: That includes their understanding of how you will use the data – and their consent to those uses. Depending on the lawful basis of processing the data at issue, it may include their ability to change their mind about what they will and won’t allow, have their data returned to them upon request, and insist that their data be deleted from all systems and databases under the “right to erasure” (also known as the “right to be forgotten”) regulations. Simply stated, dependent on the lawful basis of processing, data subjects located in the European Union – anyone residing in the EU, not just EU citizens – can request that their personal information be removed from corporate databases in a timely fashion or know the reason why it can't. That said, it is important to note that according to the Office of the European Data Protection Supervisor, privacy and data protection are not absolute rights in the EU and may need to be balanced against legal obligations, contract, the corporation’s legitimate interests, and against other vital interests, such as national security.

Like successful climbers who return safely to base camp of Mount Everest, organizations that remain vigilant to the new rules and regulations under GDPR reduce their risk of incurring penalties associated with non-compliance. And like the teams of guides, Sherpas and medical staff who support a climb to the summit, it sometimes takes an expert in security and data privacy to help you assess your organizational readiness, preferably someone who has had previous experience in such readiness assessments.

Avanade Insights Newsletter

Stay up to date with our latest news.

Contact Avanade

Next steps

Talk to us about how we can bring the power of digital innovation to your business.

Modal window
Share this page