Although the current focus of many companies regarding the EU General Data Protection Regulation (GDPR) is on the May 25, 2018 effective date, we see that date as the beginning, not the end, of implementing a global GDPR compliance program. First, the risk-based GDPR framework for privacy and data security is an ongoing compliance process, not a “one-and-done” activity. Second, the EU Member State Data Protection Authorities (DPAs), charged with enforcing GDPR compliance, are grappling with how best to approach the operational issues that arise as entities interpret and implement GDPR’s data protection principles. Third, we expect the issuance of additional guidance that will potentially impact a number of companies’ activities, including the interaction between GDPR and the not-yet-final EU ePrivacy Regulation for online data activities. As a result, we expect to see DPA interpretations of GDPR, including through enforcement activities, that will provide clearer compliance guidance.
Organizations that are beginning to or in the process of developing and implementing compliance programs should keep the following general principles in mind:
- Don’t panic, but focus on high-risk priorities in the processing of personal data, which will depend on type of business operations, size of organization, territorial scope, etc.
- GDPR compliance is a risk-based assessment rather than an exercise in complying with black and white rules. Because risk management must be tailored to the activities of each entity, reasonable GDPR compliance will vary from entity to entity. Avoid copying what another entity does with regard to GDPR or using a template approach to GDPR compliance.
- Entities that are active in the online advertising, marketing, and communications space need to make sure that their risk management activities under GDPR maintain sufficient flexibility to account for the not-yet-released EU ePrivacy Regulation.
- Successful completion of a GDPR compliance project requires:
- Support of senior management as a top-level priority, who should be fully informed of potential risks of non-compliance and briefed regarding compliance efforts on an ongoing basis.
- Involvement of legal, HR, finance, marketing, IT, and other key stakeholders in order to have a 360-degree view of the activities impacting the collection and processing of personal data.
- A point person with overall responsibility for GDPR compliance, whether a formal data protection officer (DPO), to the extent required under GDPR, or another individual assigned enterprise-wide responsibility for data protection.
- GDPR compliance involves amending contracts, policies, and notices, but it is not a paper exercise. Most importantly, organizations should use GDPR compliance as the motivation to carefully assess all the ways in which personal data are handled and how the organization can adapt its existing processes and systems, and create awareness throughout the whole organization to change the approach towards personal data.