Get Ready, Get Set: Don't Hold Off Preparing for GDPR

By Michelle Dennedy, Chief Privacy Officer, Cisco

Michelle Dennedy, Chief Privacy Officer, Cisco

In today’s world, the digital economy can only flourish when you connect people, process, and data in an ethical, meaningful and secure way.

This involves creating an environment in which everyone can easily do business, knowing their data is safeguarded, and helping customers, employees and partners by protecting and respecting personal data, no matter where it is from or where it flows.

If you do business globally (and these days who doesn’t?) you’ve heard about GDPR, or the General Data Protection Regulation. It’s the EU legislation that will be enforced a few short months from now, on May 25, 2018, as the legal framework for data protection across Europe.GDPR supports consumer rights and provides clarity for businesses by establishing a single law across the EU. It affects anyone who transfers data to or from EU member states, so its consequences are quite far reaching.

But GDPR iscomplicated legislationthat requires a structured, formal approach, and unfortunately, to this day,many organizations still don’t havewell-planned solutions in place to aid with their critical data protection and privacy and compliance tasks.

In the vast world of GDPR, yourtop readiness priorities must include identifying what data you are collecting, how you are collecting it, what you are doing with it, who is processing it and where, and how you are protecting it – whether at rest, in use, or in motion.To help evaluate all this, consider a few key points:

• Map your data: Who manages your data? Who builds? Who accesses? Who corrects? Who deletes or returns? The “what” determines your strategy, while the “who” makes it a part of your culture.

• Accessandmanage: Evaluate risks, strengths, and opportunities and establish governance for data usage and access.

• Secure:Protect personally identifiable information (PII) with security measures to prevent, detect, and respond to vulnerabilities and data breaches.

“In today’s world, the digital economy can only flourish when you connect people, process, and data in an ethical, meaningful and secure way.”

As you identify your priorities, remember that GDPR is not a legislative exercise alone and don’t assume your legal department is solely accountable for implementing the changes. In fact, GDPR requires a top-down approach with C-level and board-level support, so make sure you form a project team that represents yourentire company and its major divisions and departments. The regulation typically requires a change in attitudesandcompany culture. This canbe the hardest thing to achieve, so education, communication, and building trusted environments arekey.

Understand the Data You Hold

While your organization mighthave well-documented policies, youstill might not have completeinsight into the data you aregathering and storing.Failing to understand what data you have limitsyourability to effectively store it or monitor how it is used. 

Once you have an organizational process for understanding the data, review your existing data protection and privacy policy and look at how you process and assess data breaches. You will want to assessrisk to determineareas of yourbusiness that will be impacted by GDPR and identify the Personally Identifiable Information(PII)your company holds. If you believe the risk is high, make sure you complete a data protection impact assessment so you are prepared.
All too often, there’sa discrepancy between where a business thinks it keeps its sensitive information and where that informationactually resides.

Know if You Require a Separate Team

One common reason some companies underestimate the amount of effort required to comply with GDPR is thatthey are caught by surprise by unknown or additional requests that end uprequiring more manpower. New requests include:

• Individual requests: An individual’s right to request information from a company issomewhat similar to the existing Data Protection Act, but new, expanded rights include providing data in electronic format rather than in letter form.The time organizations have tocomply with a request has been shortened to 30 days.

• Minor requests: If businesseskeepinformation on children, GDPR introduces additional controls and restrictions on the storage of such data; companies must identify this information and fully understand theirresponsibilities.

Because data strategy, data protection and privacy, compliance, and IT infrastructure are all so interdependent,your GDPR strategy absolutely must be a company-wide effort.You will need to continue to build policies and procedures, and remain vigilant and committed to ongoing efforts to support the security, trust, privacy, and resiliency of your customers, employees, and shareholders. For more information on how Cisco is approaching GDPR, visit

New Editions