EVENT FILMING | FEATURES | RESEARCH | HEAD TO HEAD | CASE STUDIES | ROUNDTABLE | BOOKSTORE
ONLINE BOOKSTORE
CUSTOMER FEEDBACK
TECHNOLOGY NEWS
ITSM
 IPTV
 Publications

Ken Turbitt Blog
Aidan Lawes Blog
Paul Gostick Blog
Dr Jenny Dugmore Blog
Shirley Lacy Blog
Alim Ozcan Blog
Juan Jimenez Blog
Ian Clayton Blog
Nas Ozcan Blog
Aidan Mills Blog



ITSM
Women in the Boardroom
Deloitte finds gender diversity on global boards doubled in organisations with female leadership...
ITSM

Ten Strategic Technology Trends for Government
Technologies that enable new service models for digital government must be at the top of the list for government organizations as they prioritize technology investments...

ITSM

The Robots are Coming: Are CEOs Ready for the Era of Automation?
CEOs agree that robotics is going to make their companies more efficient, with 94% of those who've already adopted robotics saying that it's increased productivity in their business...

ITSM

The 2015 Chief Digital Officer Study
More companies are appointing a Chief Digital Officer to join their C-suite - but are they doing it quickly enough?...

ITSM

18th Annual Global CEO Survey
The United States has overtaken China as top target for growth for the first time in five years...




 News
3 May 2017 | ITSM
Send to a colleague | Add to MY ITP

Organizations Are Unprepared for the 2018 European Data Protection Regulation
Analysts identify five high-priority actions for data controllers and processors inside and outside of the European Union...

The European General Data Protection Regulation (GDPR) will have a global impact when it goes into effect on May 25, 2018, according to Gartner, Inc. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.

"The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well," said Bart Willemsen, research director at Gartner. "Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.

The GDPR replaces the Data Protection Directive 95/46/EC and is designed to support the single market, to harmonize data privacy laws across Europe, to protect and empower European Union (EU) citizens' data privacy and reshape the way organizations approach data privacy for EU citizens wherever they work in the world.

Gartner recommends organizations act now to ensure they are in compliance when the regulation goes into effect. They should focus on five high-priority changes to help them to get up to speed with GDPR requirements.

1. Determine Your Role Under the GDPR

Any organization that decides on why and how personal data is processed is essentially a "data controller." The GDPR applies therefore to not only businesses in the European Union, but also to all organizations outside the EU processing personal data for the offering of goods and services to the EU, or monitoring the behavior of data subjects within the EU. These organizations should appoint a representative to act as a contact point for the data protection authority (DPA) and data subjects.

2. Appoint a Data Protection Officer

Many organizations are required to appoint a data protection officer (DPO). This is especially important when the organization is a public body, is processing operations requiring regular and systematic monitoring, or has large-scale processing activities. "Large scale" does not necessarily mean hundreds of thousands of data subjects.

3. Demonstrate Accountability in All Processing Activities

Very few organizations have identified every single process where personal data is involved. Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity as this will help to maintain compliance in future personal data processing activities. Organizations must demonstrate an accountable ground posture and transparency in all decisions regarding personal data processing activities. Outside parties must also comply with relevant requirements that can impact supply, change management and procurement processes. It is important to note that accountability under the GDPR requires proper data subject consent acquisition and registration. Prechecked boxes and implied consent will be largely in the past. A clear and express action is needed that will require organizations to implement streamlined techniques to obtain and document consent and consent withdrawal.

4. Check Cross-Border Data Flows

Data transfers to any of the 28 EU member states* are still allowed, as well as to Norway, Liechtenstein and Iceland. Transfers to any of the other 11 countries** the European Commission (EC) deemed to have an "adequate" level of protection are also still possible. Outside of these areas, appropriate safeguards such as Binding Corporate Rules (BCRs) and standard contractual clauses (i.e., EU "Model Contracts") should be used. EU-based data controllers should pay specific attention to new mechanisms under the GDPR when selecting or evaluating data processors outside the EU and ensure appropriate controls are in place. Outside of the EU, organizations processing personal data on EU residents should select the appropriate mechanism to ensure compliance with the GDPR.

5. Prepare for Data Subjects Exercising Their Rights

Data subjects have extended rights under the GDPR. These include the right to be forgotten, to data portability and to be informed (e.g., in case of a data breach). If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls.

Notes

*Consequences of a Brexit are still unknown. Possibilities include the U.K. to receive a positive adequacy decision by the EC, or to be included as a European Economic Area (EEA) member.
**At the time of publication, the 11 countries are Andorra, Argentina, Canada (for commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

Legal disclaimer: The opinions and recommendations in this research should not be construed as legal advice. Gartner recommends that entities subject to legislation seek legal counsel from qualified sources.Gartner clients can learn more in the report: "Focus on Five High-Priority Changes to Tackle the EU GDPR" to view click on the link https://goo.gl/7pUUgn.


Gartner Email to a colleague | Add to MY ITP

LOG IN
terms & conditions





MICROSOFT SEARCH ENGINES