What could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Another requirement, performing impact assessments, is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.
What should my company be doing to prepare for the GDPR?
Set a sense of urgency that comes from top management: Risk management company Marsh stresses the importance of executive leadership in prioritizing cyber preparedness. Compliance with global data hygiene standards is part of that preparedness.
Hire or appoint a DPO: The GDPR does not say whether the DPO needs to be a discrete position, so presumably a company may name someone who already has a similar role to the position. Otherwise, you will need to hire.
Create a data protection plan: Most companies already have a plan in place, but they will need to review and update it to ensure that it aligns with GDPR requirements.
Conduct a risk assessment: You want to know what data you store and process on EU citizens and understand the risks around it. Remember, the risk assessment must also outline measures taken to mitigate that risk.
Implement measures to mitigate risk: Once you’ve identified the risks and how to mitigate them, you must put those measures into place. For most companies, that means revising existing risk mitigation measures.
Test incidence response plans: The GDPR requires that companies report breaches within 72 hours. How well the response teams minimize the damage will directly affect the company’s risk of fines for the breach. Make sure you are able to adequately report and respond within the time period.
Set up a process for ongoing assessment: You want to ensure that you remain in compliance, and that will require monitoring and continuous improvement.
Sign up for CIO Asia eNewsletters.