On 25 May 2018, Europe's new General Data Protection Regulation (the "GDPR") will come into effect, introducing a raft of changes to Europe's current data protection regime – including increased territorial scope, new obligations for processors, enhanced accountability requirements, and the threat of significant fines (up to 4% annual worldwide turnover) for those that get it wrong. It's a seismic change. EU Privacy Law 2.0 if you like.
Originally 261 pages, the GDPR has over 20,000 more words than Shakespeare's Hamlet and has probably resulted in more primers and updates in your inbox than your IT department's imposed storage limits will tolerate. Headlines like: "Companies who've not started GDPR readiness will not be ready on time" and "GDPR fines up to 4% of worldwide turnover" intended to scare, actually scare you. What's more, you read part of an old draft for a while on a plane in October 2015 and you're not sure whether the threshold for appointing a DPO is still set at 250 employees or more (it's not, that changed, see Section 4: Articles 37 to 39).
All in, you're feeling overwhelmed, unsure where to start and the day-job is unrelenting anyway. Plus Schrems just cost you the last 6 months of otherwise productive GDPR prep time (yes, October 6th 2015 was last year and yes you still don't have all the data transfer answers and your vendor flow-down exercise closed out).
Getting "GDPR ready" may seem a daunting task – but with careful planning, project management and prioritisation, it is an achievable one.
Keep calm and get GDPR compliant
So how should you approach the GDPR? I'd suggest one chuck at a time:
- Sit down, pour a glass of wine or your favourite Mountain Dew and read it end to end. Whilst long, the GDPR is more accessible than you think. Pay attention to the recitals because, ahead of any official guidance these are our best interpretive aids; and
- Then work through systematically using a simple, 4-step methodology:
- Assess where you are today
- Identify gaps between current compliance and what needs to change to provide GDPR compliance
- Prioritise the remedial measures needed based on risk
- Implement remedial measures based on this risk-prioritisation
Fieldfisher's 4-step methodology
Step 1: Understand how the business uses data today
No business can get GDPR compliant unless it first know what data it collects today, how and where it uses that data, with whom it shares that data, and what existing compliance framework it has in place. You need to work with your internal teams to help them gather this information by formulating and asking the questions that need asking, liaising with internal stakeholders, and collecting and reviewing existing policies, notices and contracts as necessary.
Collecting this information can be time-consuming, and tracking down answers to questions asked is not always easy. Whether you approach product by product, service by service or address each business unit in turn you need a plan to sift and gather information.
Ultimately you need to form a picture of your data, what datasets are comprised in that data and understand where it goes. You will need this picture for Step 2 and interpreting the roles you perform in respect of that data. 25 May 2018 is some time away so you may need to revisit this over time in a fast moving agile business. Try to anticipate new products and/or innovation growth within the enterprise. Don't leave it to engineers and others to determine whether that data is "personal data" or not. Make your own decisions.
Step 2: Assess what needs to change for compliance with the GDPR
Once you understand how your business uses data today, you need assess how the GDPR will impact your business and what measures you need to take for compliance. No two businesses are the same: the impacts of the GDPR will differ depending on whether you are a multinational pharmaceutical company, a cloud-based service provider, a financial services institution or a Silicon Valley start-up – the only thing guaranteed to be in common is the need for compliance.
You should start by addressing key strategic issues posed by GDPR compliance: Are you a controller or a processor? Is the data you process "ordinary" personal data or "sensitive" data (or both)? Are you within the territorial reach of the GDPR? Should you rely on consent or other lawful grounds to process data? What is your data export strategy, is it appropriate and how does this impact your wider compliance model? Is there any profiling, monitoring or tracking activity to consider? Will your business need to appoint a DPO? Go back to all those primers and alerts you received and start to list the topics that will apply to your business and try to prioritise them in the context of your business some (like accountability, international transfers and dealing with consents) may be more pressing.
Only once those key strategic issues have been addressed can the operational impacts of the GDPR then be accurately identified and addressed – a GDPR readiness programme will look very different for a controller handling sensitive data than it would for a processor handling only pseudonymous data. You will need to identify these operational impacts by performing a gap assessment of your compliance as it exists today (taking into account the key strategic considerations) against the requirements that will apply to your business under the GDPR, and report on (and potentially document) your findings.
Step 3: Prioritise the changes you will make
Compliance is a process, and necessarily entails prioritisation – identifying those compliance actions that will present the highest risk to the business if not taken and prioritising those risks over lesser important, technical compliance actions. You may also need to factor in legal changes (eg new data rights for data subjects) that will necessitate internal development time or changes to process before you can achieve compliance. The simple fact these take time to solve may elevate them in your list of priorities.
In identifying the GDPR issues that present the greatest risks to your business, you need to take into account both technical risk and actual likelihood of occurrence, and draw up a prioritised "plan of action" that takes account of practical implementation considerations – for example, what is actually achievable given the resource availability, existing infrastructure and risk tolerance of the business. Be realistic, in a dynamic or risk-tolerant environment, full compliance is often something many businesses fail to achieve. You need to have made an assessment and you ideally need to develop a narrative that explains your decisions and the steps you've taken.
Step 4: Implement your GDPR readiness changes
Once you know what actions need to be taken, and the order in which they need to be addressed, then the real work begins: implementation. Implementation measures may range from drafting notices, policies and contracts, to developing training and audit programmes, to supporting internal data mapping exercises, to implementing new data export mechanisms – the list goes on.
Anything else for EU Privacy Law 2.0?
For those not blessed with instant business buy-in, you may also need to start building your business case and aligning your internal champions to make a case for change, extra budget or support. Most of all this team needs to isolate time from their already busy days to focus on those issues in your plan of action, identify external pressures which will drive change, customer demands, channel partner concerns, risks of enforcement etc.. Some businesses supplying long-term services to sophisticated customers will find that they may be asked to agree GDPR friendly contract terms or introduce GDPR related rights (like portability requirements) almost immediately.
With new law coming and, if you follow Step 1, an internal assessment of the data collected, used, shared you are forming a valuable picture of data use and data flows within your organisation. This also presents the opportunity to bake privacy into the way your business operates (something which may be required under the GDPR anyway). New rules, demand new practices and an opportunity to frame these operational practices around best practice privacy methodologies across a business is a rare opportunity. This is also an opportunity to simplify and standardise your privacy approach in customer and consumer facing documents, contracts and notices.
Also be aware that, whilst the GDPR is in final form, Member States are yet to craft local derogations for certain elements of the GDPR or declare whether they opt-in to provisions like the "anti-FISA" restrictions (in Article 48). For key areas (eg around the applicable age of consent for children) you need to track where national variances may be made by particular Member States (as they are entitled to do under the GDPR in a number of areas). Do such derogations introduce fragmented rules which your business will need to adapt for? There will also be new Guidance, Supervisory Authority statements and approved Codes of Conduct and new certifications from Certification Bodies that will emerge and inform or test your readiness conclusions. Monitoring and assimilating all of these developments will be important overt the next two years.
This approach is only Fieldfisher's suggestion of course. Some have large teams and multiple stakeholders to manage and corral. But many are on their own, multi-tasking and running more than a privacy programme. Adopting the "one bite at a time" approach across pre-identified issues and topics and with the above methodology you'll get there.
Now that you understand, apply the GDPR in your daily privacy analysis and learn how to explain it to others…