“This is the view of the UK’s information commissioner Elizabeth Denham, and it’s true because the impact that the GDPR will have on businesses is so deep and will affect internal processes to comply with some of the requirements,” he told Consumer Identity World Europe 2017 in Paris.

The GDPR will also potentially affect the internal structures of businesses and the way responsibilities relating to data protection are allocated, such as the need for some organisations to appoint a data protection officer (DPO).

Although German companies have been required to have data protection officers since 1988, Maiorino said appointing a DPO will be entirely new for many companies outside Germany.

It will be interesting to see how companies will handle this new role and adapt their processes, he said, because under the GDPR, DPOs are required to be free in executing this role.

“DPOs are not allowed to take any directions from company management and they cannot be fired for doing their jobs, which is completely different from the usual situation where employees are required to follow the directions of their managers and do not typically take their employers to task.”

The GDPR principle of privacy by design is another area where the regulation is likely to have a deep impact on internal business processes, according to Maiorino.

“Under the GDPR, products and services will be required to have basic data protection principles such as data minimisation implemented into their structure and into their design, unlike in the past, when the priorities have typically been scalability, user experience and profitability,” he said.

“Data protection was considered and the legal department consulted usually only at the end of the development process, and then legal was often overruled if any obstacles were raised, but this approach will not work under the GDPR.”

Sourced through Scoop.it from: www.computerweekly.com