The long-awaited General Data Protection Regulation (GDPR) will come into effect on 25 May 2018.
The GDPR constitutes the biggest change to the data protection regime in the EU since the 1995 Data Protection Directive, and introduces fundamental changes, including:
- harmonisation and further development of data protection regimes across the EU;
- extension of the regime to apply to non-EU businesses that operate in the EU (in line with EU e-commerce and consumer laws);and
- potential for businesses to be fined EUR 20 million or up to 4% of their worldwide turnover for serious violations of the GDPR.
For those that have not already started a GDPR compliance project, the message is: don’t panic yet, but the sooner you can start, the better. We have developed this short guide and the accompanying infographic to help you kick off your GDPR compliance project, and to show you how we can help (as much or as little as you like) along the way.
If you are a UK business questioning the impact of Brexit on the status of the GDPR in the UK, further information can be found here.
What are the challenges of implementing GDPR compliance?
As things stand, there are a number of uncertainties around the potential impact of the GDPR on the current legal regimes of EU Member States. Knowing where to start can, therefore, seem overwhelming. Even once you have a plan in place, or have identified areas of weakness, knowing which areas to focus on and prioritise can be difficult. Once that is sorted out, actually finding the time and resource to carry out the plan (while continuing business as usual) can seem like a gargantuan task.
In practice, there is no one-size-fits-all GDPR project plan, and the amount of work required will vary depending on a number of factors, including:
- existing obligations set out in each relevant EU Member State’s local data protection laws;
- the extent to which you are compliant with the data protection laws currently in force and how sophisticated your business is with respect to data protection;
- how much personal data you process and for which purposes, and how much of that falls into special categories of personal data;
- whether you are a data processor or a data controller;
- what policies and procedures you already have in place and how you document your data processing practices; and
- how straightforward your data processing activities are (for example, do you involve data processors? Do you export personal data outside of the EU?).
Our advice is to take stock first and then to take it step-by-step, biting off one manageable-sized chunk of the GDPR pie at a time, so that you are ready for compliance on (or before) 25 May 2018.
Step 1: Lay the foundations
As is often the case, the key to a successful GDPR project will be to spend enough time laying the foundations. Although it is tempting to dive straight in, time spent on these initial aspects will reap benefits later:
Many of you will have been working tirelessly over the last 4 years telling the relevant people in your business that big change in the form of the GDPR is on its way. Now that it is finally here, those efforts may need to be ramped up.
It is vital to identify key stakeholders early on and, in particular, ensure that you have an executive sponsor on board to support the project through to May 2018 and beyond.
The ‘stick’ is the potential for significant fines in the event of non-compliance and the possibility that companies may be required to delete valuable data collected in breach of the GDPR.
The ‘carrot’ is that being a forerunner in your field in terms of data protection compliance can give you a significant business advantage over your competitors. In addition, some areas of the GDPR even allow businesses to be more flexible and innovative in the way that they design their data processing activities.
Review what guidance is currently available and what more is expected
The data protection authorities (DPAs) in each of the EU Member States have started issuing helpful guidance (some of which may be just as useful or applicable in other EU Member States). In particular:
- The ICO in the UK has issued its ’12 steps to take now’ in preparing for the GDPR, and an outline of its own project plan for developing further guidance.
- In Germany, the Bavarian DPA has announced that it will publish guidance on specific GDPR topics on a bi-weekly basis and has already produced papers on ‘the Security of Processing’ and ‘Certification’.
- In Spain, the Agencia Española de Protección de Datos has published ‘El Reglamento de protección de datos en 12 preguntas’ (another 12 point guide) and further guidance is expected in the coming months.
- At a European level, the European Data Protection Board (formally the Article 29 Working Party) has issued its work programme for 2016-2018, in which it has already set out the primary focus areas for guidance.
It will be helpful to factor the timing of any further guidance into your plan, while keeping in mind that your plan may need to flex around what that guidance says.
Hold a kick off meeting (or several), agree a governance structure, allocate resources and set a budget
In these early stages, you may not know exactly how much work will be required, though you will have an idea of what teams are likely to need to be involved (Legal, IT, Compliance, HR, Marketing & Sales and so on), how much internal resource you have available and in what areas you are likely to need external support.
Start thinking about prioritisation
At this early stage of allocating resource and setting budgets, you will need to start thinking about what your priorities are likely to be, which areas of the GDPR you should focus on first, what teams will be required and when.
Your priorities will be dictated by the nature of your business, how you use personal data and the areas of highest risk. You will also need to think about how the GDPR might affect what you are doing now. For example:
- are you entering into contracts with data processors that will extend beyond 25 May 2018? If so, you will need to ensure that those contracts are GDPR-compliant, and cover off any additional risks (and liabilities) you may face in the event of a breach;
- are you in the process of developing a product or service that will involve the processing of personal data? If so, you should be thinking about ‘privacy by design’. This is one of the key conceptsof the GDPR, which requires you to ensure, from the outset, that the processing of personal data is limited to that necessary to achieve its purpose, and that access to that data is limited to those who need it. You should anticipate potential challenges of this nature that you may face;
- are you using “consent” from data subjects (such as customers or employees) to justify the collection and use of their personal data? If so, data subjects may need to give their consent again, unless the manner in which the consent has been given is already in line with the (enhanced) conditions of the GDPR, which is unlikely, in many cases.
You will get a better sense of your priorities as you move through steps 2 and 3 of your GDPR project plan, so make sure that, at regular intervals, you are pausing to assess and re-assess your plan.
The aim is to be 100% compliant on (or before) 25 May 2018, but this is likely to be challenging in practice for many, so it would be sensible to focus on the most important and risky aspects first.
Step 2: Take stock and gather information
To be able to ensure compliance with the GDPR, you will need a clear picture of:
- what personal data you collect today, how you use it, where you use it, and with whom you share it; and
- what compliance measures you already have in place.
This will also help you prioritise what is important (as referred to in step 1) and to fulfil certain requirements under the GDPR, namely the obligation to maintain a record of processing activities and more generally the principle of ‘accountability’.
This is a key step and should not be rushed. You may already have established sophisticated compliance measures and have a clear (or relatively clear) picture of how your business uses personal data, in which case there may not be too much to do. Alternatively, your business may have developed in such a way that the relevant tools and procedures were not in place to help you map this out at the time.
In our experience, this audit process is likely to take weeks or even months, but it will be well worth the effort. To come up with a GDPR solution, you need to identify the problem.
Remember that the way you use personal data may change during the course of your project, so there will also need to be processes in place to keep track of any material changes.
Once you have all the relevant information, it is almost time to implement those measures that need to be taken to ensure that, come 25 May 2018, you are GDPR compliant. But before you get there…
Step 3: Pause, review and assess
…pause, review, assess where you are and where you need to get to, and identify what you need to do to get there. Once you have all the information you need, you will need to review it. The resulting ‘gap analysis’ is one of the most crucial steps on the GDPR compliance roadmap.
To a certain extent, this may involve comparing your compliance with the current law versus compliance with the GDPR. This will not, however, always be the case (particularly if you weren’t caught by the 1995 Data Protection Directive, but are caught by the GDPR); nor should it be the focus of your assessment. In any event, this analysis will very much depend on your local DPA’s interpretation of the principles and extent of the new GDPR.
The GDPR should be seen as a standalone set of requirements. However, you should also avoid re-inventing the wheel. For example, you might have already appointed a data protection officer or have an existing process for checking data processing activities. These will be extremely valuable and may easily be adapted for GDPR compliance.
Once you have carried out that assessment, you will need to identify what you have to do to fill the ‘gaps’, and in what order you should fill them. You may have had an idea of what remedial steps would be required back at stage 1, and an even better idea at stage 2, but now is the time to turn that idea into a plan.
Now is also the right time to assess how the GDPR might make things easier for you. It is important to keep in mind that the GDPR is not just about increasing requirements and red tape – there are also important areas in which businesses are being given more flexibility (depending on the current national regimes). Examples include:
- requirements for consent or data processing agreements: currently, several EU Member States’ laws require consents or data processing agreements to be in writing to be valid. These requirements will be waived by the GDPR so that, for example, electronic declarations will be permissible across the EU. This change might allow you to re-structure and improve your established process of collecting consents or concluding data processing agreements;
- justifying data processing activities on a balancing-of-interest test: many existing laws enshrine specific requirements for, and restrictions on, certain processing activities, such as marketing use of data, video surveillance etc., which no longer exist in the GDPR. Instead, a balancing-of-interest test applies that gives businesses more flexibility regarding the justification and the design of data processing activities.
This stage will require a thorough knowledge and understanding of both the GDPR and of your business. The GDPR will need to be considered against the backdrop of your business’ infrastructure, its ambitions, its priorities and its appetite for risk.
Step 4: Implement change
Now it is time to get started on those remedial steps and to make use of the new opportunities you have identified (and prioritised) in step 3.
Here are just a few things you may be doing at this stage:
- putting in place policies and governance structures that will allow you to comply with the various requirements of the GDPR and to demonstrate compliance in accordance with the principle of accountability;
- (re-)allocating responsibilities within your business for the various tasks under the GDPR to avoid liability;
- putting in place processes required to comply with the procedural obligations under the GDPR; for example, to notify regulators and data subjects (if required) in the event of a data security breach and to respond to data subjects exercising their rights (such as to data portability);
- rolling out a programme of training for your employees;
- making technical changes to your websites and online platforms relating to legal notices, general terms and conditions, privacy policies and forms used to collect data (and any relevant consents);
- re-negotiating existing contracts with customer sand data processors (if possible), and amending your templates for future contracts; and
- refreshing your consents (if required).
Step 5: Put the finishing touches to the plan
The finishing touches are those remedial steps that were lower down on the list of priorities when you came up with your GDPR project plan. These steps are still important, but are likely to be lower risk, easier to implement and will not require such a long lead-in time.
Step 6: Follow up with on-going monitoring and maintenance
As you start to use your new policies and processes, you may find that they do not work perfectly on a day-to-day basis, or that things could be done more efficiently. The next two years will be a learning process for your business. The key will be to be able to identify any problem areas, work to find a solution and make sure that solution is GDPR-compliant.
The GDPR, and your business, do not stand still. While it is unlikely that there will be significant changes to the text of the GDPR itself anytime soon, we do expect to see a lot of guidance over the next two years, at a national and international level, on how it should be interpreted. We can help you to keep on track of any updates, and understand how they may affect your GDPR project plans.
Furthermore, while the GDPR aims to harmonise the data protection laws of the EU Member States even further, national data protection laws will not be removed completely. Rather, the GDPR allows EU Member States some scope to introduce their own requirements in certain instances. We are happy to help you keep track of any discrepancies in national laws, and explain how they affect your business.
During this time (and beyond), your business, and the way it uses personal data, may well change. As well as being compliant on 25 May 2018, you will need to ensure that you remain compliant on an on-going basis from then on. You will need the right processes in place to manage that.
For many businesses, the GDPR will require a change in mindset. Where compliance with the 1995 Data Protection Directive may have been seen as another regulatory hurdle, compliance with the GDPR should be seen as involving every aspect of a business and every person in it. This may sound like a daunting task, but doing this well should reap substantial benefits.