Adaptation Plan to General Data Protection Regulation (GDPR) (I)

The adaptation of an organization to the General Data Protection Regulation (GDPR) supposes much more than the acquisition of a software tool, it goes beyond hiring the advisory services or the appointment of a Data Protection Officer (DPO). It is a cultural change that involves the people, the data and the processes that make up the organization to build a new vision of personal data aimed at its protection and respect.

The main objective of the General Data Protection Regulation is to protect the rights and freedoms of the individual when their personal data is processed. To achieve this objective, the regulation was built on three fundamental principles: the principle of data protection, the principle of transparency and lawfulness, and the principle of accountability.

The principle of data protection imposes the need to inculcate in our organization a policy and a series of measures aimed at considering the privacy of personal data from the design or conception of the processes that intervene on them and to limit as much as possible the processing of personal data. Each and every one of the people who are part of the company must always bear in mind that personal data must be protected, respected and treated lawfully.

Processing of data, obtaining it in a lawful and loyal manner, and that the communication regarding the processes to which they will be subjected is understandable and easily understood by the individual is the essence of the principle of transparency and lawfulness. One of the fundamental objectives of this principle is to ensure that there is an adequate legal basis for the processing of personal data.

Complying with the regulation is not enough, but according to the principle of accountability, it is necessary to be able to demonstrate it by fulfilling different obligations, one of them is through the records of all activities that are carried out in the organization and that carry with them a processing of personal data. The organization must also have the capability to carry out impact assessments and risk analyzes in those situations in which the processing of personal data may implicitly entail a greater threat to the privacy of the individual and therefore implement specific additional technical and organizational measures. or even not proceed with a specific process.

Therefore, any adaptation plan to the regulation must be designed considering the different cases of use or deficiencies that must be covered based on the current state of the organization in terms of its processes that process personal data and the policies that govern these processes.

As stated at the beginning, to comply with the GDPR it is not enough to implement a software tool, but on the contrary, it means the evolution of the entire organization towards the idea that personal data is an asset to be protected because with it respects the privacy of the individual.

At SAP we have been leading the business management software market for fifty years and where from our beginnings, security and data protection have been part of our DNA. Our portfolio of solutions for Cybersecurity and Governance, Risk, and Compliance includes a set of applications, designed to help organizations in their goal of protecting personal data and privacy. Solutions that correspond to the different use cases that arise after an in-depth analysis of the principles of the regulation in the early stages of any project to adapt to the GDPR.

This article is the first of a series to come.  Please, don’t hesitate to share your share feedback in a comment.