The General Data Protection Regulation (GDPR) was introduced on 25 May 2018 in the EU.
Many organizations have already indicated through email, (social) media and their websites that they have implemented the GDPR. It is not entirely clear WHAT exactly has been implemented.
We generally see that the implementation of the GDPR is mainly focused on the security of personal data and on the preparation / replacement of processing agreements and renewal of privacy statements.
The question is to what extent the GDPR is implemented in the ‘genes’ of the organization.
In other words, to what extent are the employees aware of the principles of the GDPR and the ‘appropriate technical and organizational measures’ based on them and are the employees able to act accordingly?
Article 5 of the GDPR, which contains the principles of privacy protection, is the basis of the GDPR regarding the processing of personal data. These principles are explicitly or implicitly reflected in a number of important articles that deal in greater detail with the processing of personal data. For example, in article 25 [Data protection by design and by default] the principles of purpose limitation, storage limitation, integrity, confidentiality and data minimization are implicitly included.
Nevertheless, this ‘top-down’ approach appears to be an exception rather than the rule in practice. Many organizations have introduced the GDPR ‘rule-based’ by solving various issues on an ad hoc basis. The risk of this approach is that each department gives its own interpretation to the principles that are ‘hidden’ in an article.
This raises the question of the extent to which an organization is mature in the field of privacy protection.
Maturity does not appear from a paper implementation and / or ‘window dressing’ of a privacy statement, without the organization being adequately equipped for compliance.
Maturity must be apparent from the degree of assurance and demonstrability of appropriate technical and organizational measures on the one hand and their actual compliance within the organization on the other.
Maturity can be divided into 5 levels (derived from ISACA / CMMI), with each level representing a certain degree of risk. The higher the maturity level, the less risk is run on:
- data breach of a person’s privacy,
- the risk of an administration fine / damage compensation and
- directors’ liability.
‘When it was first announced that the GDPR would introduce fines of up to 20 million Euros, directors across the EU paid attention. It is now clear that fines of this level will be reserved for the most flagrant and damaging breaches of the data protection principles. Even so, there is a range of regulatory, reputational and, therefore, commercial consequences for any organization which fails to meet the higher standards of responsibility created by the GDPR. For this reason, data protection has become a priority within the board room. Under the GDPR, there is a range of criminal offences relating to data protection including unlawfully obtaining, disclosing or selling data and various offences relating to the exercise of the Supervisory Authority’s statutory powers, including altering or destroying data with the intention of preventing disclosure of information to a data subject. Directors may be liable for the criminal offences of the company where these were committed with their “consent, connivance or neglect.” Whilst prosecutions of directors under the DPA have been rare, directors should be conscious of the possible criminal offences which an organization may commit and the possibility of the Supervisory Authorization prosecuting individuals.’ [derived from Kingsley Napley, law firm, blog Emily Carter].
Do you want to know how you experience maturity in the area of privacy protection within your organization? Then do the test below!
To get a good idea of the privacy protection in your organization, it is advisable that more colleagues of yours do this test. The more colleagues do the test, the clearer the general perception of how the organization protects privacy.
Choose the answer that you think is closest to the way your company protects privacy.
Are you curious about the score? Follow this blog!
A score table will be published next time. Based on this you can calculate your score.
With this score you can determine your perception of the maturity level of your organization regarding privacy protection.