May 25, 2018 is the effective date of General Data Protection Regulation (GDPR), a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.  The GDPR requires companies to take steps to help secure personal data rights and more generally protect that data. The regulation also provides individuals with certain rights over their personal data, including a right to access, correct, delete, and restrict processing of their data.

According to a recent IBM’s “How it works – GDPR” guidebook, 50% of global companies say they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate, and this may lead many companies to appoint a Data Protection Officer.

Not complying with GDPR certainly becomes a legal issue and the probable penalties are relatively higher than most other legal violations.  However, GDPR shall not be treated as one of many legal issues.  It serves as a wake-up call at the minimum besides it starts changing the mindset and behavior on how companies manage data no matter what countries such data comes from.

Knowing at least half of the global companies may not be fully ready for GDPR implementation, what an auditor can do to help before regulators knock on the door and penalize the companies for up to 4% of the global annual revenue or Euro $20M, whichever is higher?

We are 4 days away from the deadline: 5.25.2018.  Perhaps the following approach can help the companies who may not be 100% ready:

  1. Understand overall company data strategy and ownership
  2. Understand systems and tools that can affect data management
  3. Get visibility of the decision-making process: what efforts have been made, will be made, and will not be made (management accepted the risks)
  4. Evaluate the choices that management has made to assess risks
  5. Provide suggestions on minimizing exposure and risks

In the U. S., we used to say and apply the rule of “acting in good faith”.  Unfortunately, GDPR won’t give consideration to that.  If it is true that the regulators may target companies that have the most marketing presence in EU, then one short-term strategy for companies to buy some time to get ready would be reducing the advertising or any marketing campaigns so as to reduce the visibility and exposure.

GDPR is just the beginning.  As most companies do not have standalone data systems for EU data only, it may not be feasible to isolate GDPR related data so that the GDPR strategy and implementation may have forced many companies to change overall data management strategy as well as overall data systems or tools.

It will be interesting to see how regulators approach violations after the deadline of 5.25.2018…