Are You Confused About GDPR Compliance?
Distance learning for Data protection professionals and experts becomes an essential tool for complementing class education. The complexity and volume of knowledge and expertise that need to be acquired are continuously increasing.
On 25 May 2018, the European Union’s General Data Protection Regulation, or GDPR, went into effect. Nearly two years later, major stakeholders are still confused about the extent of required compliance – a confusion that can often be costly.
The good news is that much of the costly confusion that surrounds the GDPR can be avoided through education, awareness, and adequate management.
According to DLA Piper, a multinational law firm, there have been over 160 000 data breach notifications across Europe, resulting in EUR 114 million in fines. This includes a EUR 400 000 fine for a hospital in Portugal and the EUR 50 million imposed on Google – the biggest penalty under the GDPR to date.
But it’s not just the penalties that are expensive. Perhaps even more costly are the thousands of unstructured, last minute compliance initiatives and urgent efforts to correct a reported breach happening in companies across Europe.
Far too many companies fail to fully understand what the GDPR requires of them. To compensate for this lack of understanding, these companies tend to involve as many people as possible, including data processors, IT, information security, external suppliers and sub-contractors – to name only a few.
Unfortunately, when too many people are involved, the result is typically an unorganised and overly complicated approach to compliance.
But the answer isn’t simply better organisation. Even companies that make significant investments, designate specific people to specific tasks, and implement structural changes can still fail to comply with the GDPR.
“The extent of compliance is seldom directly related to the cost incurred,” says Georges Ataya, Academic Director of Digital Governance and Trust at Solvay Brussels School. “More often, it has to do with a lack of understanding by the various parties involved in the actual processing of data.”
Tools of the trade
So, what’s a company supposed to do? One place to start is the Solvay Brussels School European Data Protection Programme. Designed to provide the information and skills needed to reduce compliance-related actions, the course focuses on the five competencies that everyone involved in data processing needs:
- Legal Management Requirements: define data protection objectives and scope
- Risk Impact and Assessment: identify the gap in reaching defined protection targets
- Compliance Transformation: manage compliance related transformation
- Information Security and Privacy: protect and secure architectural components
- Response and Breach Management: Operate, react and notify when needed
“These skills aren’t just for the Data Protection Office (DPO) – they’re essential tools of the trade for anyone involved in processing personal data,” adds Professor Ataya. “This includes personnel involved in the processing activities, such as human resources and marketing, along with external suppliers and outsourced personnel who act on behalf the company and deal with personal data.”
Professor Ataya notes that the Solvay Brussels School course is also relevant to legal, information technology, digital transformation, and information security experts too.
Offered since 2017, the course is regularly updated to reflect the most recent regulations and developments.
The next edition, set to start in October 2020, will feature a new distant-learning component.
“Starting from the day of registration, participants will already be able to access online activities and information, including case studies and quizzes, even before the first day of class,” says Professor Ataya. “This online component is meant to supplement one’s classroom learning, resulting in an even deeper understanding of the topic.”