This article appears in the Fall 2017 digital issue of DOCUMENT Strategy. Subscribe.
The General Data Protection Regulation (GDPR) represents possibly the most sweeping change to data protection laws in over 20 years. When it goes into effect on May 25, 2018, the new regulation will impact every organization that touches the personal data of European Union (EU) residents, regardless of the organization’s location—and every person who resides in Europe will be the beneficiary of the new law.
So, why is this new law so important? The GDPR imposes much greater regulatory and individual control over personal data, a vital asset of the global economy. In addition to its depth and scope, potential fines of €20 million (or four percent of global revenue for non-compliance) raise GDPR readiness as a top priority for most organizations in 2017 and 2018.
Where should organizations begin to achieve GDPR compliance? With expanded territorial applicability and increased scope, it is important for organizations to clearly understand the full weight of their GDPR obligations. Under the pressure of limited time and resources, engaging professional service providers with both legal and IT security expertise will help organizations focus their compliance efforts in the areas that present the greatest privacy and data protection risks.
Obligations Under GDPRThe focus on individual rights, as well as transparency and accountability for the collection and handling of personal data, places EU residents and their rights at the heart of the GDPR. For instance, individuals will be able to demand the right to be forgotten, so their personal data will need to be deleted and destroyed, as well as the right to data portability so that they can move their data from one organization to another. Organizations will need to consider all aspects of their processing activities considering the rights afforded to individuals under the GDPR.
Additionally, the new regulation enforces a multitude of new compliance obligations, nearly all of which will be time-consuming and costly for organizations to address. These obligations include new rules to obtain explicit consent for specific use of personal data, making blanket collection of data difficult and risky. There will be new requirements to carry out a Data Protection Impact Assessment (DPIA) to understand the risks to an individual’s privacy before that individual’s personal data is used. In addition, there will be new requirements for privacy by design and by default, so that at the outset, controls for data protection and privacy are built into any changes to business operations and technology. Finally, there will be new obligations for transparency, including breach disclosure requirements to notify authorities and, in some cases, data subjects within 72 hours.
5 Key Steps to GDPR ComplianceCompanies that position themselves as responsible custodians of customer and employee data will gain a strategic advantage over their competitors when the law goes into effect. There are several steps organizations must take to achieve this.
1. Designate Ownership for Data PrivacyAssign roles and responsibilities for privacy and data protection across the enterprise. Consider implementing a formal data privacy program to enforce accountability and help ensure a strong governance structure so that privacy and data protection receive the appropriate level of attention within the enterprise. European Union (EU) supervisory authorities will expect reporting lines on privacy and data protection compliance to the board (or the equivalent top management level).
2. Understand Your DataEstablish a formal inventory of data processing operations and supporting systems that collect, process, and store personal data. Organizations need to evaluate their data collection practices to ensure proper consent was received from EU individuals. Additionally, organizations need to verify the legal basis for collecting and processing personal data as well as the legal means for any cross-border transfers.
3. Perform a GDPR Readiness AssessmentPerform a “current state” analysis to determine GDPR obligations and identify gaps, and develop a roadmap to achieve compliance with the new regulations.
4. Communicate With Partners and Third PartiesBegin communicating with high-risk partners and vendors to review current contract terms and agreed-upon data protection controls. Increased responsibility and liability implications will affect contractual arrangements for those companies or vendors sharing personal data outside of their organization. Because of the changes in responsibility for breach notification, organizations need to review contracts between parties involving data protection to ensure that appropriate measures are in place.
5. Address Data Subject RightsImplement new processes and technologies to fulfill requests by individuals exercising their rights under the GDPR. The GDPR does not mandate any particular means by which requests must be facilitated, but it does indicate that organizations should provide means for electronic requests to be processed within one month.
For most organizations, and certainly almost all that conduct business within the EU, the GDPR is a game-changer. To comply with the new requirements, many will need to transform how they manage the data of individuals, including, but not limited to, how their vendors retain and manage this data. Efforts to remediate deficiencies and achieve GDPR compliance could take months. In this environment, next May is just around the corner; thus, it’s important to avoid delay and begin preparing today.