The time for US companies to get ready for the EU’s General Data Protection Regulation is now and it’s all hands on deck.
“Who shouldn’t?” answered Liz Walker when asked who within an organization should prepare for the directive, which will transform how businesses process and handle data. It is scheduled to go into effect May 25, 2018.
“This isn’t just a legal department or compliance issue, or a risk management issue,” said Walker, head of enterprise risk and global insurance at Groupon Inc., during a recent Advisen webinar sponsored by CyberScout. “This is going to touch every aspect of your business.”
Large businesses especially tend to be siloed but companies “can’t afford not to break down those silos because it won’t matter when it comes to an investigation or regulatory action. This truly is on everyone,” Walker said.
Download the GDPR compliance infographic.
Lisa Berry Tayman, CyberScout’s senior privacy and information governance advisor, said preparation for the GDPR will “force groups who have not worked together to work together.” She said the entire organization needs to understand how data is collected, received, moves throughout the organization, and transferred.
Tayman said her current role is consultant to a number of organizations who process personal data or act as controllers. The approach right now is that of rapid assessment, prioritizing actions if needed and getting boots on the ground to get the framework supported.
Unraveling, understanding, and assessing the effect of the regulation is a “large undertaking,” said Walker. Aside from compliance issues, Walker has looked to mitigate the risk with insurance but has found coverage could be tricky. A policyholder could find potential coverage with a cyber policy but they are typically triggered by a breach, but fines and penalties related to GDPR can be levied without a breach.