The European Union General Data Protection Regulation (EU GDPR) is set to come into effect on the 25th of May 2018 and will strengthen the rights of individuals online, while creating significant obligations for businesses operating in an increasingly connected world.
The regulation applies to information which directly or indirectly identifies an individual, including customer lists, contact details, genetic/biometric data, and online identifiers like IP addresses.
As with any change within an organisation, there are various challenges to navigate. When implementing the EU GDPR, be aware and avoid the following common pitfalls:
- Not having a clear understanding where and how personal data is stored, how it moves around your enterprise, how it is protected and how it is deleted once no longer required.
- Underestimating the challenges of implementing a robust, effective programme for data subject rights, such as subject access requests and requests to delete personal data.
- Not having an enterprise-wide incident response plan in place. The plan should incorporate escalation plans and nominated advisors covering all required stakeholders, including business operations, legal, PR, and key third parties such as IT service providers on whom you rely.
- Failing to consider supplier / third party data protection management on an ongoing basis.
- Failing to implement and maintain internal training programmes and procedures.