New data protection rules demand new approaches
The General Data Protection Regulation (GDPR) becomes enforceable from 25th May 2018 (Day 1) after a two-year transition period. Unlike previous data protection directives it does not require any enabling legislation to be passed by national governments and is thus directly binding and applicable.

The regulation seeks to harmonise data protection law across European member states and is significantly more prescriptive than previous data protection directives.
Leonard McAuliffe
Leonard McAuliffe

Each jurisdiction where GDPR applies will have an appointed Supervisory Authority ( ODPC in Ireland) who will have widespread investigatory and corrective powers including the right to:
• require the provision of information
• conduct audits
• obtain access to premises
• impose data processing bans
• suspend data transfers
• order the correction of an infringement
• issue fines of up 20 million or 4% of global turnover for serious breaches

The GDPR raises significant compliance issues that have major change and cost implications for businesses, for example:

1. Mandatory data inventorying and record keeping of all internal and third-party processing of European personal data.

2. Mandatory data-breach notification to regulators and individuals whose information is compromised following information-security failures.

3. Comprehensive individual rights to access, correct, port, erase, and object to the processing of their data which has a significant impact on processes and technical systems.

4. Routine data-protection impact assessments for technology and business change.

5. Mandatory data protection officers and an overall rethinking of privacy strategy, governance, and risk management.

Based on our experience in helping clients with GDPR we note that the breadth and depth of GDPR impact, coupled with the limited time remaining means that it is easy for organisations to lose direction.
Some key recommendations for those businesses starting out on their GDPR journey include:

1. Organisational Commitment – A key accelerator in the GDPR journey is the clear commitment of senior management, appropriate levels of resourcing, staff training and ongoing communication.

2. Forming the right team - GDPR project teams should be multi-disciplinary with representatives from the various business units and supporting functions such as Legal, Compliance, PMO, IT, HR, Communications, and Information Security that enables them identify, design and implement the changes that are necessary.

3. A Risk-Based Approach - Work needs to be prioritised, so that critical risks, issues and key business objectives are addressed before matters of lesser importance. A risk based approach recognises that, in the real world, businesses, litigators and regulators have to make hard choices about their priorities. It will therefore tackle major risk areas first, taking account of the entity’s key business objectives and assessing the business risks that GDPR may bring.
Leonard McAuliffe is a Director at PwC Cyber Practice.
This article appeared in the September 2017 edition.