The International Association of Privacy Professionals (IAPP) completed their Top 10 list of the Operational Impacts of the General Data Protection Regulation (GDPR). Organizations should consult the list for a high-level overview of the types of changes to policies and procedures that they will need to take. We have narrowed their list down to two of the most important impacts, while also discussing how Cranium can provide solutions to them.
Cybersecurity and data breach notification obligations
Privacy and Security go hand-in-hand. Your organization will have an ineffective (and noncompliant) Privacy program if it is not backed up by the latest technical safeguards. Article 32 is strict in its requirements. It says that organizations must “implement appropriate technical and organizational measures” along with considering “the state of the art and the costs of implementation.”
However, it would be wrong to say that anyone is fully invincible against cyber-attacks. Hackers and thieves evolve with the technology. If there is a data breach affecting personal data, the GDPR mandates that the organization notify the relevant Data Protection Authority (DPA) within 72 hours. Article 33 lists the content of what each notification contains. Data subjects must also be notified if the organization determines that the breach will affect the rights and freedoms of the individuals affected “without undue delay.”
Cranium has experts in both cybersecurity and privacy policies and solutions. We can help your organization develop proper safeguards and policies in order to avoid being in violation of the GDPR. Please visit our list of solutions here.
Cross-border data transfers
The GDPR allows for international transfers of data only to countries deemed “adequate” by the European Commission. If a country has no adequacy decision, there are a few other means to have legal transfers. International companies themselves can create Binding Corporate Rules (BCRs) whereby the organization strictly adheres to the proper handling of personal data. A relevant DPA must approve of these rules. Likewise, standard contractual clauses where controllers and processors negotiate and place legally binding obligations on themselves to be compliant with GDPR.
For the US in particular, the Commission and the US Government have an agreement in place called the Privacy Shield, which has its own set of legal obligations for controllers and processors here in America. Once a company becomes Privacy Shield certified, they can receive and process European personal data legally.
Cranium can help your organization develop a plan to get Privacy Shield certified, draft BCRs or Standard contractual clauses. We have consultants that have worked with global businesses in all types of industries.
Again, please visit the IAPP’s list again to get the full scope of operation impacts. Cranium has solutions and consultants that can address every one of these.