12 reasons GDPR will impact the whole of your business and not just IT


Independent project, systems and risk expert who enjoys hel

The clock is already ticking towards May 2018 when the EU General Data Protection Regulation (GDPR) comes into force. Whilst there is increasing awareness of what is needed within the management board, is there a possibility that the responsibility for implementation will simply be delegated to IT again as another piece of technical compliance work to deal with?

If this happens, a major opportunity to create significant business value through more unified and robust data management will be lost, as well as the very real risk that fundamental compliance requirements will not be met.

Here are 12 initial reasons why businesses should make GDPR an enterprise-wide responsibility, strongly led from the top... the management board.

1.  Management Board Accountability

Management boards accountable for breaches of regulations within business, with penalties of up to 4% of last year’s turnover with reputational risk implications.

2.  Business Opportunity

Major opportunity to digitally transform business, enabling it to compete more effectively in the new digital economy.

3.  Enterprise Wide Collaboration

Sheer scope of changes needed across whole business requires robust programme management approach and strong boardroom leadership.

4.  Process Integration

Data protection methods have to be integrated into all business processes, which need to be redesigned to reflect this and associated opportunities.

5.  Privacy Data Management

Must formally record why, who, what, when and where personal data is being processed by business and associated legal basis for doing so.

6.  Third Party Processor Risk

Responsibility for data now extends to all off site processing meaning when data leaves or is shared externally this responsibility remains with the business.

7.  Data Ownership

Regulations relate to data which is ultimately and only owned by the business, so strong data governance is essential.

8.  Cloud Based Application Vulnerabilities 

Significant number of cloud based applications, sometimes used by business driven shadow IT, may not be compliant and will need to be updated.

9.  Cyber Data Breach Obligations

Stricter requirements for protecting business from threat of cyber-attack and need to notify authorities of such breaches within 72 hours.

10. Compliance Accountability

Must be able to demonstrate compliance within the business, with some aspects explicit but others implied.

11. Risk-Based Approach

Businesses have responsibility for assessing degree of risk their processing activities pose to individuals.

12. Independent Data Protection Role

Someone within business has to take responsibility for data protection compliance and if necessary, implement formal Data Protection Officer role which reports directly into highest management level such as management boardroom.

But what do you think about this, do you agree?

To discuss these challenges further and their relevance to your own business, please contact Robert direct at robert.toogood@data-tight.com to schedule a completely confidential and no-obligation discussion