The General Data Protection Regulation (GDPR) will come into effect in May 2018, but businesses should not rush to comply. Rather than embarking on large-scale projects, a pragmatic and context-driven approach is essential for successful compliance.

The new European regulation applies to all businesses targeting clients or citizens of the EU, including those outside the EU. This means that companies now have increased responsibility for how personal data is managed, including when it is handled by third-party providers (e.g., SaaS). It is important to understand that all company functions can be impacted, not just IT and data security, but also marketing, HR, archiving, and communication.

Organizations can rely on existing local laws, such as ISO standards, and practices related to governance, internal controls, and security. However, a detailed mapping of the company's personal data, processing activities, and information flows is essential for a successful transition. Performing a risk assessment is also necessary to create a tailored action plan for the organization.

While the May 2018 deadline may seem imminent, regulators do not expect companies to be fully compliant by that date. Therefore, businesses need to have a clear understanding of gaps to fill and a solid roadmap for addressing the regulation.

Source : ICTjournal