The European Union (EU) General Data Protection Regulation (GDPR) is entering the end of its two-year implementation period, and guidance on specific areas is still being published.
This guidance will not be a surprise to those organisations who have mature information governance and security regimes which take current legal and regulatory requirements into account.
However, it will provide much needed clarity to those organisations who have ran tightly scoped compliance regimes which have been compromised by the recent advances in disruptive technologies (which have a tendency to not respect compliance boundaries).
The mounting deficit between the compliance approaches and reality is being brought into sharp focus from not only the guidance, but the U.K. implementation of the GDPR, through the Data Protection Bill making its way through parliament.
Recent cases against Morrisons supermarket and the Carphone Warehouse show that the legal framework is not restricted solely to data protection and that controls must apply throughout the organisations respectively.
This document attempts to present the challenges to suppliers from not only the GDPR but also the current guidance from the Article 29 Working Party, and the current wide legal context of laws affecting information. Whilst written for suppliers, it is likely that it will provide benefit for anyone who is either planning or undertaking compliance programmes for the GDPR.
Understanding the challenges allows organisations affected by the GDPR to quantify the business benefit resulting from showing compliance.