Shorthand for the General Data Protection Regulation, this is a benchmark law aimed at tightening data control around personal data involving EU citizens. Not complying with GDPR can see a company excluded from any European business, while companies found in contravention of the regulation can face startlingly serious penalties, ranging from €20 million (almost R300 million) to 4% of annual global turnover - whichever is higher.
GDPR casts a wide net: anything from a name or photo to an IP address can qualify as protected data. Yet even though the law comes into effect this month, nearly half of companies surveyed by analyst firm Gartner will not be compliant even by the end of the year.
"A remarkable number of businesses haven’t yet prepared for GDPR, or for that matter other new regulations such as POPI,” said Riaan Bekker, Riskonnect solutions manager at thryve, a supplier of risk integration and management technologies. “It’s tempting to blame negligence, but I think often businesses are intimidated by the complexity. One way to address this is to get specialists in, but that will be expensive and solves a problem. It doesn’t always introduce a new capability. Using technology, on the other hand, can cut through the red tape and also create a platform that the business can use to improve its competitiveness.”
GDPR readiness can demand some formidable preparation, not to mention analysis and visibility of company processes. Specifically, one of GDPR’s requirements is to have a risk-based approach to data protection, with policies that reflect this. Companies should have an inventory of the processes that are impacted and changed accordingly. At the very least, GDPR is a good example of how companies need to be agile as new regulations appear.
The right technology can help tremendously to identify the right processes, create appropriate workflow automation and keep a business ready for any future changes in the law. Riskonnect, a leading risk aggregation platform, recommends these nine features you should look for in technologies that can address the challenge:
1. Process and systems inventory: The platform should be able to identify your various processes and systems, and establish data ownership over them.
2. Internal Audits: Risk managers should be able to create questionnaires, workflows and notifications that help them audit the business and its third parties.
3. Issue and action management: The technology should help the process of creating detailed action plans in case of events, such as a data breach.
4. Regulatory interaction: Confidently interact with both regulatory and internal stakeholders while ensuring you have a single truth of the data.
5. Management of Contracts and Corporate Policies: Know what all the related contracts and policies are by giving them a central home within the platform.
6. Ongoing data sharing request management: The sharing of specific data can be automated while within regulatory limits.
7. Data request management and governance: Using the right platform, any request for information can be processed within the approved regulations.
8. Vendor risk management: Best of breed risk aggregation platforms should extend to third parties and helping manage their own data security access needs.
9. Reports and dashboards: From analytics to audit trails, the platform should provide clear and reliable visibility of data security activities.
There are many different parts of GDPR, including the creation of key data-related roles and a clear will from leadership to implement the changes. But without visibility and control, there can be no strategy.
Such an investment plays into the future. Data regulation is only set to expand as societies come to grips with this new era. At the same time, the speed of business is accelerating, but with high speed comes more risk. GDPR is not just a compliance demand, says Bekker.
"Regulations such as GDPR are just more indications of how the world is changing. Speed, automation and intelligence are becoming the crucial ingredients for business success, but that means the gaps between opportunities are closing. So don’t look at GDPR as a grudge, unless you just want to use consultants to pave over it. It’s an opportunity to make a business more resilient and responsive towards risk," he concludes.