… the organization’s bottom line. Ultimately, if organizations aren’t compliant, they risk losing customers, partners and revenue.”
“Under GDPR, organizations must have a process in place for responding to various data subject requests,” Aber said. “Don’t let this be a fire drill. You still have time to get organized and document personal data within your organization. Roll up your sleeves and dive in.”
If you have a program underway, if your leadership team is behind it, and the will and budget are there, then you’ve already won the battle, Hall said. However, once May 25 has passed, you are running at greater risk should there be a breach, he said.
Many compliance programs – whether regulatory such as GDPR, the Health Insurance Portability and Accountability Act (HIPAA), or technolog- specific such as ISO 27001 or SOC2 for information security management – often have controls that overlap, he said.
“For example, if you are already HIPAA-compliant and have to abide by particularly restrictive state laws, then you may already be 90 percent GDPR-ready,” he said. “A common pitfall is to tackle these compliance programs as separate projects, burning time and effort unnecessarily. Technology can help identify common clauses and controls, and allow a firm to save time and money by mapping one regulation against another.”
If you miss the deadline, it’s important to take action, rather than hoping for the best, Doeswijk said.
“Go to the regulator in your country, log your concerns, explain what you have done and are still doing, and what you will continue to do after the effective date,” he said. “What should be clear: the effort for GDPR compliance does not end with the effective date; you will have to continue to evolve your privacy and security measures as your business evolves.”
The best way to mitigate potential penalties is to …