The General Data Protection Regulation (GDPR) became effective on 25 May 2018. This regulation, concerning personal data processing, has extra-territorial implications. Any organisation which does or intends to process personal data pertaining to residents of the European Union must comply with the requirements of the GDPR.
The regulation itself is principles based and seeks to put the responsibility on organisations to determine what is the most appropriate framework to implement in order to evidence compliance.
Organisations need to evidence and demonstrate a risk-based framework in place and is applied across the organisation. In essence, it must have robust policies/procedures/control, set accountability at the right levels, keep staff trained and enforce compliance.
Some of the consequences of not being able to satisfactorily evidence compliance could lead to significant fines (2 to 4% of your organisation’s global turnover), penalties and loss of reputation, revenues and client relationships.
Here are a few ways Hermes T&C that can help your organisation determine the impact of the GDPR and how to achieve compliance:
- Conducting a gap analysis of the framework that is in place and providing recommendations to address any gaps or issues
- Designing and building an end-to-end framework appropriate for the complexity of data processing within your organisation
- Helping your organisation implement such a framework
- Conducting post-implementation assessments to provide feedback on what improvements need to be made
- Assurance testing of operational compliance
- Training of staff at all levels
- Ongoing support to C-Suite management and Board relating to strategic governance and assurance mechanisms to stay on top of issues
- Ongoing advisory support to operational teams (DPO) on regulatory issues and any changes.