GDPR, General Data Protection Regulation, GDPR Audit, GDPR Implementation, GDPR Consulting, GDPR Impact Analysis, GDPE Assessment
By: Mitchell H.Levine.CISA Audit Serve, Inc.
General Data Protection Regulation (GDPR) is here and it impacts a large portion of EU, US and companies around the world. What separates this regulation from other regulations is that companies will be compelled to be compliant because of the sanction (fines 20 million euro or 4% of revenue whichever is larger). Companies that plan not to be compliant because there may not be a regulatory enforcement present to measure their level of compliance are mistaken because the company’s customers will be at the forefront of identifying non-compliance. Instead of companies dealing with an internal employees being a whistleblower now the company’s entire customer base of EU citizens will all be the whistleblowers.
Companies and organizations need to perform an initial assessment to determine whether they are in-scope to being compliant with GDPR. Any company which stores or processes data of EU citizens are required to meet all of the regulations set forth within GDPR. All types of industries from financial, insurance, health care, service providers and companies who provide services to other companies who are in-scope for GDPR are impacted. Even companies who have no operations in the EU and scan their customer databases to ensure none of their customers are located in EU countries could still be in-scope for GDPR.
The problem is that companies would not capture the information regarding a customer who has dual citizenship in which one of the citizenship is with one of the EU countries. Therefore, even a small US community bank could be in scope for GDPR.
GDPR (Regulation (EU) 2016/679) was adopted on 27 April 2016 in which compliance needs to be achieved by 25 May 2018. GDPR replaced the 1995 European Data Protection Directive (Directive 95/46/EC).
Additional guidance will need to be issued by EDBP (European Data Protection Board) because the manner in which the regulations are written leaves a lot to be interpreted as it relates to establishing business processes and IT initiative to meet the intent of the regulations. This is the reason a two-year transition period was set because additional guidance needs to be issued by EDBP to adopt appropriate implementation plans.
*****************************************************************************
If your organization has completed most of its GDPR initiatives, Audit Serve, Inc. is scheduling GDPR Project Assessments to determine the degree in which your organization has completed these initiatives. Contact me @ Levinemh@auditserve.com to discuss our proposal of services or visit our website
One of the rulings which has has a far reaching impact to companies is the right to erasure which was an expansion of the previously regulation of the right to be forgotten. The right to be forgotten regulation was derived from an action taken against Google to have individual delisted from the search engine because the data was irreverent. The new right to erasure goes much farther than the original regulation by allowing data subjects (EU citizen who has data stored or processed by a company/organization) to request their personal data be erased from a company’s systems. Depending on the final interpretation of this regulation, it could require deletion of data from structured data contained within application systems/databases and unstructured data (e.g., file shares). Major enhancements to systems will be needed to provide this capability and in some cases the erasure of the data subject’s records could impact business processing in which business rules will be violated.
The future articles with Audit Vision to go into detail of the challenges of implementing solutions for the various regulations set forth in GDPR which includes right to erasure, data portability, data breach identification and notification, data and security monitoring, data residency and expansion of the consent requirements.
_______________________________________________________________________________
Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team conducts GDPR Impact Analysis and Project Assessments of organizations. Contact Mr. Levine Levinemh@auditserve.com for addirtional information.
Free Audit Vision Newsletter Since 1991 Join 3,500 other subscribers
Advertise with Us