2018

According to industry consultants, companies should see GDPR not as just one more irksome compliance challenge, but as an occasion to look more broadly at their security processes and to situate compliance within frameworks that they may already have, at least partially, in place.

They suggest eight principles that can help determine the need for specific GDPR-focused upgrades: including knowing your assets and where they are located, possibly using your current risk management program as-is, perhaps extended to cover a specific focus on protection of GDPR, implementing standard security frameworks to address GDPR and other regulatory requirements, run IT based on best practices all the way from governance down to technical IT processes, always have a valid reason to process PII, get buy-in from management the right way, do regular check-ups of your entire IT environment, and automate whenever and wherever you can.

A new article in HR Grapevine discusses how firms will cope with the new way of managing data, specifically, how some will see it as a regulatory burden, while others will view it as a way to create a corporate culture of compliance.

The article suggests that companies need to engage the whole workforce, and that firms that really use GDPR to enhance their data protection will foster trust. Overall, it notes that while getting the hang of GDPR is onerous, creating a culture of awareness is fundamental to business security, and GDPR can bring many benefits to a business.

Although GDPR is an EU regulation, its application is not limited to the companies located within the territory of the Union. Its scope also reaches undertakings established outside the EU including Serbian, Montenegrin and Bosnian businesses.

Therefore, those entities wanting to avoid reputational damage and the risk of being exposed to the large fines which courts in EU member states may impose for violation of GDPR, should review and adapt their privacy|data protection policies and proceedings, appoint a representative in the EU, where applicable, and should not lose sight of what complying with GDPR requires.