If your organization has not started working on compliance with the General Data Protection Regulation (GDPR) yet, you are not alone. In fact, according to a recent survey by Veritas in April 2017, less than one third of organizations believe they are GDPR ready. With less than a year left to become GDPR compliant, organizations will need to prioritize compliance steps to meet the May 25, 2018 date when the regulation becomes enforceable. The GDPR's 99 Articles and 173 Recitals can be overwhelming for organizations even those that have already made significant investments in privacy and security but there are five highimpact steps your organization can take immediately to get ready on time, regardless of industry or size.
What Is GDPR?
The GDPR is a comprehensive, EU-wide data protection regulation that dictates how information about individuals (Personal Data) can be handled, and aims to increase existing protections for an individual's (or, Data Subject's) fundamental privacy rights. The GDPR will replace the European Union's (EU) Data Protection Directive 95/46/EC (the Directive) on May 25, 2018.
The major changes with the GDPR include: (i) an expanded territorial scope beyond EU-based businesses (see below); (ii) both an expansion of existing obligations and introduction of new obligations on organizations handling EU Personal Data; (iii) harmonization of various differences that currently exist between EU member states; (iv) expansion of investigatory and corrective powers for Supervisory Authorities (or, Data Protection Authorities); and (v) increased penalties for non-compliance.
Does GDPR Apply to Your Organization?
With an expanded territorial scope, the GDPR applies to organizations without a physical presence in the EU if the company:
1.Offers goods or services to Data Subjects in the EU or monitor their behavior
2.Processes the Personal Data of Data Subjects located in the EU, either on its own behalf or on behalf of other businesses (such as Processors), regardless of whether the processing takes place in the EU
3.Has employees in the EU
Five Practical Steps to Compliance
Every organization's path to GDPR compliance will be unique and will depend on a wide range of factors. Many organizations find it helpful to have a third party (with privilege) complete a GDPR gap assessment to streamline the process and identify the specific projects to be undertaken. Regardless of the gap assessment findings or the maturity of an organization's privacy program, most organizations will need to work on the recommended steps below as a part of GDPR compliance. The projects listed below are intended to be high-impact steps toward compliance and will not ensure full compliance with the GDPR. However, these steps will get your organization on track for compliance and could help provide a clearer picture of what needs to be done. For example, a life sciences organization may complete the first mapping exercise and discover that it should invest more into a system that facilitates Data Subject access, while an online retailer may find that it needs to focus on notice and consent agreements rather than Data Subject access.
As businesses works toward GDPR compliance, it is important to keep in mind that the GDPR requires organizations to be accountable for data processing activities. The accountability principle of the GDPR not only requires that organizations implement appropriate data protection policies, processes and procedures, but also to demonstrate compliance with such measures. Therefore, becoming GDPR compliant is not a one-time exercise, but an ongoing process where an organization evaluates its data privacy protections as it continues to grow and change. For instance, if an organization determines initially that it does not need a Data Protection Officer (DPO) as a part of its GDPR compliance work, this decision should be re-assessed regularly. By complying with the accountability principle, organizations ensure that there is a rationale for data processing decisions.
The steps below are addressed in order of priority, but many can be worked on simultaneously once a data governance structure is established. Security and incident response is not addressed below because such both lay largely in the hands of IT and security departments, with coordination of in-house and external counsel. The GDPR does not contain prescriptive security requirements, but Controller organizations now have specific breach reporting requirements, which require reporting breaches to a Supervisory Authority within 72 hours of the Controller becoming aware of a security breach involving Personal Data.
1. Governance Structure
To begin GDPR compliance, an organization should appoint key stakeholders to join a data protection governance group, assigning responsibility to each individual to drive a GDPR work streams or projects. Key stakeholders should include individuals from the legal department and individuals making data processing decisions in different departments, such as HR, Marketing, Customer Service, IT and Security, along with engagement from senior management and the board of directors. The data processing activities of a single organization are often more complex and varied than expected, thus having a diverse set of stakeholders involved ensures a holistic approach to the GDPR that identifies data processing issues and risks more efficiently and effectively. Depending on the size and complexity of an organization, it may make sense to structure the governance group such that there is a GDPR steering committee, project groups and subject matter experts.
An organization should also determine whether to appoint a DPO and/or member representatives. In recently published guidelines, the Article 29 Working Party (WP29) recommends that organizations consider appointing a DPO even if not required to do so under the GDPR because organizations may find it useful to have a DPO, particularly given the ongoing accountability principle as stipulated above. The same guidelines also list the qualifications and responsibilities for a DPO within an organization.
2. Data Mapping
After establishing a governance structure, the next step organizations should undertake is data mapping. Data mapping is key to understanding what Personal Data an organization processes, and will enable an organization to determine how best to prioritize and undertake other GDPR compliance projects. Data mapping can be conducted manually by an organization or a third party vendor, and/or with the assistance of technology tools.
Regardless of how an organization decides to undertake the data map, the map should include:
- An inventory of the types of Personal Data handled
- Categories of Data Subjects the Personal Data is collected from
- Location(s) of the Personal Data
- Flows of Personal Data (e.g., from/to categories of service providers, internal departments, etc.)
- Purpose(s) of data processing
- Data transfer mechanisms used, if applicable (e.g., Privacy Shield, Standard Contractual Clauses, Binding Corporate Rules, etc.)
- Retention periods for such Personal Data
- A general description of security controls
3. Notice & Consent
Organizations should update internal and public-facing notices, consents and supporting policies, processes and procedure. Under the GDPR, organizations now have additional obligations when seeking consent and providing notice to customers and employees. For example, Data Subjects now have expanded rights, including the right of access, rectification, objection to processing, restriction on processing, data portability and erasure (Right to be Forgotten). While updating or drafting new notices and consents may not be as onerous as data mapping or some of the other GDPR compliance steps, it can significantly mitigate an organization's risk.
4. Vendor Management
The GDPR requires organizations to (i) perform due diligence before transferring EU Personal Data to a third party, (ii) have certain contractual guarantees in place and (iii) have an international data transfer mechanism in place, if applicable. For contracts an organization already has in place, such contracts should be reviewed for compliance, and renegotiated or amended as needed.
Before transferring EU Personal Data to a third party, an organization should require sufficient guarantees that the third party will implement appropriate technical and organizational measures that satisfy the GDPR and provide protection to the rights of Data Subjects.
The GDPR contains a list of contractual clauses that should be included in an agreement for the transfer of EU Personal Data, such as confidentiality and security measures in accordance with Article 32. An organization may find it helpful to draft a standard data processing agreement or template. The issue of liabilities is important to consider in drafting because Data Subjects now have the right to receive compensation from both Controllers and Processors for damages suffered as a result of processing that infringes the GDPR.
The mechanisms for international Personal Data transfer are similar to those available under the Directive, with some changes such as the addition of standard data protection clauses adopted by Supervisory Authorities, and approved codes of conduct or certifications. An organization should determine which data transfer mechanisms it will use and accept, and implement any requirements under such data transfer mechanism. The data transfer mechanism should be selected and implemented before developing standard data processing agreements or templates, as each mechanism has different requirements that must be included in those agreements.
5. Data Subject Access Requests
As mentioned above, the GDPR has expanded Data Subjects' rights, and this means that organizations will need to implement processes to respond to Data Subject access requests. Organizations must be able to identify and provide the Personal Data held about a Data Subject if requested to do so.
For information systems that are not set up to identify Personal Data as defined under EU law (Personal Data includes IP addresses, biometric data, etc.), GDPR compliance can be a challenging undertaking and may require investment in upgraded technology. In addition, information systems must be set up to allow for processing of Personal Data to be stopped, erasing Personal Data, restricting certain kinds of data processing or providing Personal Data in a portable format (if applicable) upon request. Since setting up systems to effectively and quickly respond to Data Subject access requests can be a long process, an organization should begin this step as soon as possible.
Becoming compliant by May 25, 2018 will help organizations avoid penalties (up to the greater of 20 million or 4% of annual worldwide turnover), suspension of processing activities, litigation costs and monetary or reputational damage.
The GDPR can be more than just another compliance project if done properly, it can be an opportunity for your organization to increase profitability and streamline your data governance process. For example, data mapping can lead to more efficient data processing operations (e.g., reducing data storage costs and data retrieval costs during litigation), provide greater transparency, increase customer confidence and boost an organization's reputation.