In my last blog, I provided an overview of the General Data Protection Regulation (GDPR) and talked about the Roles and Responsibilities of various parties. Let us look at three aspects today — rights of individuals, how organizations may want to look at tackling GDPR readiness, and GDPR certification.
Rights of Individuals:
GDPR is all about personal rights of the individuals (aka data subjects). The individual is given increased rights, including:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure (or “right to be forgotten”)
- Right to restrict processing
- Right to data portability, etc.…
The question to ask for each customer – How are you enabling your business processes to cater to the individual (data subject) ask on meeting requests under these categories?
Tackling GDPR readiness
A look at various analyst studies gives a real picture of market readiness. Forrester’s 2018 Predictions lists the GDPR Challenge at #8, with a callout that “80% of firms will not fully comply with GDPR” by May 2018, with the main reasons being cost and risk-benefit analysis.
The question that we need to ask is — What is the real issue behind this non-readiness aspect? Are different organizations skeptical of the motivation behind GDPR? Are they ready to bear the repercussions of non-compliance (hefty fines, negative publicity, etc.)?
A motivating factor for organizations is to acknowledge that GDPR presents an opportunity for better governance and data management leading to improved business outcomes. At SAP SuccessFactors we look at GDPR as a catalyst for building a culture of compliance readiness, and creating strong frameworks and processes to mitigate risks on an ongoing basis. Remember that the data protection and privacy laws landscape is exploding and that European privacy laws are typically used as the basis of other legislations worldwide.
There is no official GDPR certification or accreditation available today, although various working parties are discussing the need and approach for this. Other certifications commonly used for Cloud Services over the past years, such as ISO 27001 or ISAE3402 and/or ISAE3000 attestation reports, focus on data protection and security and can help demonstrate appropriate governance and accountability capabilities and thus adherence to GDPR compliance requirements.