As the GDPR progresses along its path, the program to comply with the new discipline has to be envisaged.
Such program shall surely be complex for the impacts that the new regulation is going to have on organization, processes and technologies.
Preliminarily there are two basic questions that need to find answers:
- Which is the allowed time scale, i.e. when will the GDPR be fully effective?
- What exactly will change in the daily practice?
Not being a lawyer the first question is not a straightforward one to me.
An EU regulation, as such, does not necessarily have to be ratified by national authorities to become effective, but after its publication on the Official Journal of the European Union, will start a two years transitional period and only at its completion will be directly applicable.
So the question becomes what will happen with national DP laws?
In Italy, as one, dlgs 196/03 not only includes provisions that are superseded by new GDPR, but also rules enforcing different EU then not affected. Also, many other bills refer to and make assumption on the privacy code.
Moreover: each member state shall lay down rules for sanctions and may modify some aspects of the GDPR not to mention the need of standards and guidelines.
So while the transitional period is being used to complete the legal framework, business shall design processes
- To assess, mitigate and document privacy risk;
- To review and integrate existing controls;
- To detect and communicate data breaches.
I agree. I add that I see a trend where most modern compliances (in different areas) are inspired by international best practices regarding security. These new compliances mention segregation of duties, risk analysis, need to know principle and so on. So performing the tasks you suggest will be beneficial in the long term for other compliances and the security in general.