The final text of the General EU Data Protection Reform has been published. It brings a number of compliance obligations, improving the privacy rights of the individuals. For instance, the right to object and the right for data portability. It also requires data breaches to be notified within 72 hours. A comprehensive guide is available here. The reform imposes organizations to perform Data Protection Impact Assessments (DPIAs) as part of their overall risk management practices:
“In order to enhance compliance with this Regulation in cases where the processing operations are likely to result in a high risk for the rights and freedoms of individuals, the controller should be responsible for the carrying out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of this risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data is in compliance with this Regulation. Where a data protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.”
As an example, consider evaluating data retention risks. Maintaining data for a period longer than necessary and failing to apply the data minimization principle can have serious consequences to the individuals in the case of a data breach. Organizations can identify risks with the help surveys, as discussed in this panel for instance. The graphic below shows a simplified overview of the necessary steps for conducting DPIAs:
This is only one of the aspects of the new regulation. The new rules will become applicable on May 25, 2018. Fines for non-compliance are up to 4% of annual global turnover.
The GRC Product Management team and Product Security Research are running a Customer Engagement Initiative, which consists on a co-innovation project to help our customers to adapt to improve their privacy management programs with SAP GRC. There is still room for participation. The candidates do not necessarily need to be currently a GRC customer. Contact Anderson SANTANA DE OLIVEIRA for more information.