Mistakes Companies Are Making In Preparation For GDPR
I am a Microsoft Dynamics 365 Certified Solutions Expert. and writing these common mistakes l have noted in the past 12 months so everyone can consider these when planning for GDPR so you do not get caught out when preparing for GDPR so in writing these does not mean l am a GDPR Expert or a GDPR Officer this post is designed to help you look at your considerations carefully when preparing for GDPR. l have noticed with several organisations and believe me there is a lot of panic out there to meet the compliance standards, so keep in mind that errors will likely be made without a doubt.Speaking to fellow experts in Europe and in the United States, I was able to gather some of the more common GDPR preparation mistakes.
Thinking GDPR doesn’t apply to your organisation
After a few visits to the United States in the past 12 months this the single biggest mistake most American companies are making about GDPR. They believe that because they are headquartered and primarily based in the United States. GDPR isn’t something to worry about. It’s a European problem not American. While that attitude has begun to shift, it’s important to remember that any company based anywhere in the world is subject to GDPR if they employ 250 or more employees and control or process personal data related to EU residents.
GDPR is a guideline, so its waste of time and resources
If you are struggling with GDPR, it might be because you are taking the wrong approach without a doubt and l recommend you seek urgent help from experts well versed with the GDPR legislation. The biggest mistake enterprises are making while preparing for GDPR is to view it as an obstacle, and just assign a project manager who does not understand the implications of GDPR. While there are many challenging aspects, at its core GDPR gives businesses guidelines that will actually make data more valuable by removing redundancies and eliminating data siloes. If IT teams view this as an obstacle, they will do the the minimum to achieve compliance while missing out on an opportunity to align GDPR compliance with overall business goals therefore this should be a collective effort which l believe should include business users and IT colleagues
Thinking about sensitive data in historical terms
GDPR has us rethinking a lot of terms and ideas that we’ve been used to. Take sensitive data. In this common issue l would like to point out that definitions of sensitive data need to be rethought and brought to a much broader standard. Under the GDPR, more types of data - including contact information, genetic data, biometric data and IP addresses - will be classified as sensitive,
Believing Past Practices Meet GDPR, therefore its paramount for any organisation to look on wider picture on some of these concepts
You may have great data governance practices already in place. But in the GDPR world, that may only be a foundation for today’s new rules. There are several fundamental new aspects introduced in this legislation. For example, right to be forgotten” mandates companies delete personal data if requested, and “right to know when my data is hacked mandates companies let supervisory authorities know that EU-resident data was hacked.
Ignoring the creation of record of processing activities
Article 30 of GDPR is Record of Processing Activities, and forgetting about to examining your applications and processes would be a real mistake. A major stepping stone of GDPR success is to take inventory and reconcile all applications on the organization’s software estate – especially software titles that are a known GDPR risk for the personal data they hold,
Overlooking segments of your data collection
When it comes to GDPR compliance, the primary focus for most enterprises is on determining customer, partner, and employee-held data elements by the organization. Unfortunately, most have overlooked the significant amount of data collection activities occurring via the organization’s websites and mobile apps,This is a critical oversight since there are anywhere between tens to hundreds of unknown vendors not only executing code but also collecting personally identifiable information on website visitors. In fact, enterprises tend to find two to three times more vendor-contributed code on their websites than expected.
Deciding against hiring a Data Protection Officer
Almost many people I have spoken over over the past 12 months has recommended the importance of making your organization’s GDPR strategy planning a team effort; this is not a one-person job. However, you still need someone to take ownership of GDPR. One of the biggest mistakes I have seen is organisation not designating or hiring a Data Protection Officer (DPO) siting unnecessary added financial cost which could prove costly for your organisation in the long run. The primary role of the DPO is the strategy and implementation of the security requirements of various laws and regulations, the primary one here is GDPR, The DPO should also take on leadership of incident response management, particularly with the 72-hour breach notification requirement in GDPR.
Not Asking for Help/Questions
GDPR is a new learning curve for everyone without a shadow of a doubt. Some organizations are ahead of the game. Some are rushing to the deadline. We have all been provided with the same information about GDPR.Therefore if you are working with a data specialist who has spent considerable time learning the ins and outs of GDPR, Don't shy away to ask tough questions to make sure the resources they rely on are well-prepared for what’s to come. In other words, trust the students who put in the time to ace the exam, not the ones crossing their fingers hoping for the best
Thinking GDPR doesn’t apply to your organisation
After a few visits to the United States in the past 12 months this the single biggest mistake most American companies are making about GDPR. They believe that because they are headquartered and primarily based in the United States. GDPR isn’t something to worry about. It’s a European problem not American. While that attitude has begun to shift, it’s important to remember that any company based anywhere in the world is subject to GDPR if they employ 250 or more employees and control or process personal data related to EU residents.
GDPR is a guideline, so its waste of time and resources
If you are struggling with GDPR, it might be because you are taking the wrong approach without a doubt and l recommend you seek urgent help from experts well versed with the GDPR legislation. The biggest mistake enterprises are making while preparing for GDPR is to view it as an obstacle, and just assign a project manager who does not understand the implications of GDPR. While there are many challenging aspects, at its core GDPR gives businesses guidelines that will actually make data more valuable by removing redundancies and eliminating data siloes. If IT teams view this as an obstacle, they will do the the minimum to achieve compliance while missing out on an opportunity to align GDPR compliance with overall business goals therefore this should be a collective effort which l believe should include business users and IT colleagues
Thinking about sensitive data in historical terms
GDPR has us rethinking a lot of terms and ideas that we’ve been used to. Take sensitive data. In this common issue l would like to point out that definitions of sensitive data need to be rethought and brought to a much broader standard. Under the GDPR, more types of data - including contact information, genetic data, biometric data and IP addresses - will be classified as sensitive,
Believing Past Practices Meet GDPR, therefore its paramount for any organisation to look on wider picture on some of these concepts
You may have great data governance practices already in place. But in the GDPR world, that may only be a foundation for today’s new rules. There are several fundamental new aspects introduced in this legislation. For example, right to be forgotten” mandates companies delete personal data if requested, and “right to know when my data is hacked mandates companies let supervisory authorities know that EU-resident data was hacked.
Ignoring the creation of record of processing activities
Article 30 of GDPR is Record of Processing Activities, and forgetting about to examining your applications and processes would be a real mistake. A major stepping stone of GDPR success is to take inventory and reconcile all applications on the organization’s software estate – especially software titles that are a known GDPR risk for the personal data they hold,
Overlooking segments of your data collection
When it comes to GDPR compliance, the primary focus for most enterprises is on determining customer, partner, and employee-held data elements by the organization. Unfortunately, most have overlooked the significant amount of data collection activities occurring via the organization’s websites and mobile apps,This is a critical oversight since there are anywhere between tens to hundreds of unknown vendors not only executing code but also collecting personally identifiable information on website visitors. In fact, enterprises tend to find two to three times more vendor-contributed code on their websites than expected.
Deciding against hiring a Data Protection Officer
Almost many people I have spoken over over the past 12 months has recommended the importance of making your organization’s GDPR strategy planning a team effort; this is not a one-person job. However, you still need someone to take ownership of GDPR. One of the biggest mistakes I have seen is organisation not designating or hiring a Data Protection Officer (DPO) siting unnecessary added financial cost which could prove costly for your organisation in the long run. The primary role of the DPO is the strategy and implementation of the security requirements of various laws and regulations, the primary one here is GDPR, The DPO should also take on leadership of incident response management, particularly with the 72-hour breach notification requirement in GDPR.
Not Asking for Help/Questions
GDPR is a new learning curve for everyone without a shadow of a doubt. Some organizations are ahead of the game. Some are rushing to the deadline. We have all been provided with the same information about GDPR.Therefore if you are working with a data specialist who has spent considerable time learning the ins and outs of GDPR, Don't shy away to ask tough questions to make sure the resources they rely on are well-prepared for what’s to come. In other words, trust the students who put in the time to ace the exam, not the ones crossing their fingers hoping for the best
Great article! Really raises the issue which companies will be facing if they don’t properly address GDPR.
ReplyDelete