GDPR directly impacts EU-based companies; however, GDPR also affects organizations doing business in the EU—regardless of where they’re located. If your organization markets to, tracks, or handles an EU personal data (whether a customer, prospective customer, or employee), your company is subject to the numerous new data-management and -protection requirements mandated by GDPR.
With GDPR, companies can no longer use the data in their possession according only to their own priorities. Now, they must make smart, justified decisions around their data; moreover, they must document the governance policies that support those decisions as well as the processes and technologies that demonstrate compliance with GDPR.
At one level, organizations are reshaping their big-data strategies from top to bottom. A few years ago, the question would have been, “What’s our big-data strategy?” Now, organizations are asking themselves, “In light of GDPR, what’s our big-data strategy?”
At an operational level, organizations subject to GDPR are grappling with these kinds of questions as May 25, 2018, approaches:
To become GDPR-compliant, organizations are establishing policies and procedures that ensure accountability and transparency in terms of how they manage and process the personal data in their possession. In practice, that means:
Chances are, your organization is or will soon be formulating an enterprise-wide response to GDPR. At a departmental or functional level, what does it mean to operationalize the organization’s overall GDPR strategies and mandates?
As a risk, insurance, claims, or safety leader within your organization, now is the time to define the specific actions your department needs to take in order to comply with your organization’s overall GDPR response.
Here are some examples of the kinds of questions risk, insurance, claims, and safety leaders should be asking as they develop their team’s response to GDPR:
GDPR requires organizations to review, re-engineer where necessary, and document all their business practices, including their relationships with technology vendors. Here, it’s important to ask the same questions of your technology vendors that you ask of yourself.
As a data controller, GDPR requires you to take steps to work with technology vendors (usually classified as processors) who are GDPR compliant. After all, organizations can be fined or subjected to administrative action for working with technology partners who are not GDPR-compliant.