You are the European General Counsel of InfoGlobe Inc (InfoGlobe), a US company providing online weather forecasting and climate information. Most of your clients are big corporates – shipping, insurance and agriculture companies – but in the dot.com boom, InfoGlobe launched InfoGlobe4You, a consumer service. It barely turns a profit and InfoGlobe stopped investing in it years ago, but is still widely used by farmers in Europe and Asia.
InfoGlobe lives up to its name and has acquired businesses and employees around the world, including an extensive European business headquartered in the UK. As data has become more commoditised, InfoGlobe has branched out: insurance companies can now load individual quotes onto its ClimateSure platform to calculate how long range weather forecasts might impact the price. The company has also recently cut costs by completing an extensive outsourcing program and rationalising its many data centers into two data hubs hosted in the cloud.
The InfoGlobe CEO has begun to worry about GDPR and asked you to do a quick assessment and then put in place whatever's needed to avoid one of those mega-fines she's been reading about.
What should you do next?
Ask for resources and support
Don't be deceived by the idea of a "quick assessment"; InfoGlobe is a large and complex company, personal data permeates its operations and this is a significant project which will involve every area of the business. Remind the CEO of the mega-fines and ask for the following:
- Budget: scope the costs and timeline for the initial assessment phase of the project. The total project costs can't be calculated until the assessment has been completed and the business has costed each of the remediation requirements.
- Project management support: a GDPR project needs a lot of project management and you won't be able to keep it on track without at least some support.
- Commitment from each of the business and functional heads: their commitment is critical to completing the assessment, driving the remediation and implementing new policies and processes. You should consider asking for a point person from each business and function who will manage the project for that sector.
- Senior executive champion and steering group: given the size of InfoGlobe, you should consider setting up a senior steering group and recruiting a senior executive champion who will provide accountability, critical perspective and momentum. It is the role of the champion and steering group not just to oversee the project but also to set its parameters: what is InfoGlobe's risk appetite? Does InfoGlobe want to use external lawyers and consultants? How might InfoGlobe's business strategy impact the project?
Engage your stakeholders
Get this right at the beginning, when novelty, headlines and time pressure are on your side. Early engagement tactics include:
- Establishing a clear, easily adapted narrative about what GDPR is, why it matters and what InfoGlobe needs to do. Everyone needs to understand that narrative; all InfoGlobe's employees are your stakeholders.
- Managing expectations: your project may not be completed by 25 May, but you should have addressed the major risks by then (see below) and have a plan for the rest. In fact, the project will never be completed: GDPR is for life (or at least until it's replaced by another law) and the project will need to morph into a 'new normal' of a fully sustainable data protection programme.
- Reporting progress: use a weekly or bi-weekly dashboard to report progress to all your key stakeholders so that they are reassured about what has been done and understand what remains to be done.
Complete an assessment
The first phase of the project will be an information gathering exercise to work out what personal data InfoGlobe is collecting and using, who the personal data is about, what it's being used for, where it is, how it is (or isn't) protected and what the legal basis is for using and collecting it. The assessment needs to cover all of InfoGlobe's products and services, its internal processes and its arrangements with third parties.
The standard approach is to kick off the assessment with a questionnaire. It's a good start but it's worth noting the following:
- Make it easy: the questionnaire should use vocabulary and terms that are immediately intuitive to and shared by the business.
- Make it relevant: allocate sections of the questionnaire to the right parts of the business – the cloud development team will become quickly discouraged if asked to answer the HR section.
- Make individuals accountable: the point person for a business or function should collate the answers for that business or function.
- Make time: The completed questionnaires may raise more questions than they answer so you will need to allow time to follow up with phone calls or face-to-face meetings.
Somewhere during the assessment you will get sucked into a vortex of contradictory information and endless detail. This is where you need to focus on your biggest risks in this order:
- Risk to the privacy of the individuals whose data you're holding: what would they and your regulators care about most?
- Risk to your business: are there areas of your business which are built on personal data or for which it's critical? Are there specific areas of heightened reputational risk?
- Risk to your timelines: if your assessment identifies that you need to make changes to a product or service, a significant platform or renegotiate with or even replace a supplier, let your stakeholders know promptly. Changes to products, services and internal IT will need to be built into a budget or a development cycle and you may be joining the back of a long queue to renegotiate with your suppliers.
Other things to consider in parallel
InfoGlobe won't get the project completed by 25 May, but you can make faster progress by starting to remediate some of your biggest issues while still running the assessment. You and your senior management will have at least a very strong hunch about what these issues are.
This is InfoGlobe's premium platform and carries a high risk to revenue and reputation. The quotes uploaded to the platform are likely to include personal data, possibly even sensitive personal data. Steps to consider include:
- Carry out a data protection impact assessment or DPIA into ClimateSure so that you really understand how it collects, uses and protects personal data, particularly if that use goes beyond providing the the ClimateSure service (e.g. for research or analytical purposes).
- Get ahead of client concerns by issuing a 'white paper' covering all the data protection issues including information security standards and export of personal data outside the EU, although remember that your customers will expect you to stand behind the white paper in your contracts with them.
- Draft a standard GDPR-compliant data processing agreement/addendum to offer clients. You will need to find a balance between what's good for you and what's good for your clients or be ready for some very tough negotiations over liability and audit rights.
Small businesses on the periphery of your operations can present disproportionate risks. InfoGlobe4You has been starved of investment and oversight and InfoGlobe expertise is in the corporate not the consumer space. Carry out a deep dive into InfoGlobe4You, particularly around privacy statements and marketing.
Third party suppliers
The GDPR requires InfoGlobe to vet all new and existing suppliers who handle personal data on their behalf and put in place processing agreements which cover an extensive and onerous range of provisions. InfoGlobe has dozens, possibly hundreds of suppliers; start with the key providers for HR (SaaS platforms, payroll, benefits providers) and the cloud services.
The standards for information security are unchanged, but the risks of failing to meet them are hugely increased. Review information security standards for key products and internal processes and overhaul InfoGlobe's breach reporting process to meet the new 72 hour breach reporting obligation.
InfoGlobe is a global company and personal data is going everywhere, particularly to the US. Devise a strategy for legitimising those transfers of data outside the EU. Given the flow of data between the EU and InfoGlobe's US HQ, a Privacy Shield certification might be a good place to start.
Share the pain
25 May is just around the corner, but this project is for the long haul. The privacy community is exceptionally open and collaborative, so consider joining an industry group or attending seminars and sharing in their know-how and experience.