The General Data Protection Regulation (GDPR) affects all organizations that do business with the European Union and its residents. Which means it is the rare company around the globe that isn't impacted by the GDPR.
Despite years of preparation for the onset of this regulation - the legislation was proposed in 2015 - most organizations are not fully prepared for the GDPR, even as it becomes the law.
The GDPR is broad in scope and focused on the entirety of the flow of personal data in all its forms throughout an organization. Even if an organization wanted to, it would be difficult to simply tick compliance boxes for GDPR. The boxes don't exist.
What GDPR is really asking organizations to do is to change their mindset about personal data and who the owner of the data is. Dave Burleigh, one of our GDPR experts at Trustwave, says that "personal data is like DNA in document form." The data subject is clearly the owner of that DNA and should maintain rights about when, where and how that DNA is shared and when it is refused or retracted.
It remains to be seen how swiftly penalties are enacted for GDPR violations and how broadly across the globe. But it's fairly easy to predict that the GDPR is just a precursor of increasingly stringent data privacy regulations in other regions. Thus, as you drive your organization toward compliance with GDPR, implementing these high data privacy standards for residents of any country may offer you future proofing for upcoming regulations from other regions.
Changing your organizational culture's approach to managing personal data will require persistent effort that affects gathering, storing, accessing and processing personal data. From your initial analysis of your current data flow to the opportunity to build "privacy by design" in to new systems and processes, participation from the entire organization is required. It can't be a siloed IT project. The GDPR calls for an ongoing and unified program.
Wherever your organization is in relation to GDPR requirements, you should take a strategic look at how you can make the changes in both mindset and processes to develop an effective and ongoing data privacy and security lifecycle.