May 25, 2018 is the effective date of General Data Protection Regulation (GDPR), a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.  The GDPR requires companies to take steps to help secure personal data rights and more generally protect that data. The regulation also provides individuals with certain rights over their personal data, including a right to access, correct, delete, and restrict processing of their data.

According to a recent IBM’s “How it works – GDPR” guidebook, 50% of global companies say they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate, and this may lead many companies to appoint a Data Protection Officer.

Not complying with GDPR certainly becomes a legal issue and the probable penalties are relatively higher than most other legal violations.  However, GDPR shall not be treated as one of many legal issues.  It serves as a wake-up call at the minimum besides it starts changing the mindset and behavior on how companies manage data no matter what countries such data comes from.

Knowing at least half of the global companies may not be fully ready for GDPR implementation, what an auditor can do to help before regulators knock on the door and penalize the companies for up to 4% of the global annual revenue or Euro $20M, whichever is higher?

We are 4 days away from the deadline: 5.25.2018.  Perhaps the following approach can help the companies who may not be 100% ready:

  1. Understand overall company data strategy and ownership
  2. Understand systems and tools that can affect data management
  3. Get visibility of the decision-making process: what efforts have been made, will be made, and will not be made (management accepted the risks)
  4. Evaluate the choices that management has made to assess risks
  5. Provide suggestions on minimizing exposure and risks

In the U. S., we used to say and apply the rule of “acting in good faith”.  Unfortunately, GDPR won’t give consideration to that.  If it is true that the regulators may target