The European Union GDPR marks the beginning of significant changes to how companies manage and process personal data, their privacy compliance programs, as well as IT systems and infrastructure. The GDPR replaces Directive 95/46/EC and will come into force in May 2018.
“The GDPR signals the start of a new generation of data privacy laws and practice in Europe and beyond,” said Bojana Bellamy, President, CIPL. “The new law will affect the risk profile of organisations, impact their management, use and sharing of data, as well as their IT systems and infrastructure. But GDPR also represents an opportunity for organisations to consider data privacy compliance more strategically and holistically, as it becomes key to their data strategy and the digital transformation of their business.”
The report highlights nine key trends that relate the most to everyday business and compliance concerns, including:
GDPR Impact: Respondents believe that the aspects of the GDPR that will have the largest impact on their organisations are the requirements for a comprehensive privacy management program, use and contracting with processors, as well as data security and breach notification. As expected, senior management is most concerned about the GDPR’s enhanced sanction regime and the data breach notification requirements, as well as how the regulation will impact their data strategy and ability to use data.
Data Transfers Outside the EU: Organisations appear to use a wide variety of mechanisms today for data transfer related to internal human resources (HR), consumers/customers, and vendors. According to responses, they will continue to do so after the GDPR is implemented. The most popular mechanisms today are, in descending order: Model Contracts, consent and necessity for contracts, as well as Privacy Shield.
Compliance Technology Tools and Software: Currently, organisations do not appear to widely use or have access to technology tools and software to aid with data privacy compliance tasks. Only a minority of organisations use technology to automate and industrialise their data protection impact assessments (DPIAs), data classification and tagging policies, data processing inventories, and delivery of the new data portability right.
“This GDPR survey report is designed to help organisations understand and benchmark the key operational impacts of the regulation and to support their internal change management program,” said Dana Simberkoff, Chief Compliance and Risk Officer, AvePoint. “We hope that this report will allow organisations to accelerate their progress toward true operationalisation for GDPR readiness.”
