The GDPR applies to organizations that process data of EU citizens. The upcoming effective date of May 25, 2018 has created lots of excitement, frenzy, and noise around GDPR.
This is not the first (and will not be the last) data security/privacy law/regulation/standard that takes effect. However, it feels different because it introduces measures that data privacy advocates and tech-savvy cybersecurity professionals would argue are necessary to properly secure personal data in our digital economy.
A correct GDPR implementation plan will impact now your company runs. That means that it will impact the people, technology, and processes that support the company! There is no single tool, environment migration, training module, or policy template that will satisfy all GDPR requirements. If anyone is claiming otherwise, ask lots of questions because they are likely misguiding you!
Tread carefully with vendors and sales pitches that promise that a one-time investment will fulfill all your GDPR requirements. That is simply not true.
If your company holds data of EU citizens and that includes any of the data fields listed in our previous post, continue with your due diligence! Your next step from here should be to create a Data Inventory to determine what your GDPR compliance roadmap needs to include. We created a handy diagram, called The 10 GDPR Components. Think of this as GDPR, broken down into 10 chunks. Some companies will need to address all 10 components, while other companies will only need to address some of them.