momius - stock.adobe.com
With fewer than 100 business days remaining until the 25 May 2018 implementation date of the EU’s General Data Protection Regulation (GDPR), companies’ preparations are in full swing. With sanctions for non-compliance potentially reaching millions – or even billions – of euros, no wonder the new law has grabbed the attention of senior managements and boards of directors, not only in Europe, but also in the US and the rest of the world.
Hopefully, your company has already planned, budgeted, deployed and implemented its privacy management programme. In that case, enjoy spring! But if you have not yet crossed all the Ts and dotted all the Is, what are the absolutely essential steps you must take to avoid going down in history as the first company to feel the wrath of GDPR?
First, do your data mapping. We all know that the first step toward change is awareness. Without knowing what data you have, where it is stored and with whom it is shared, it is impossible to comply with consumers’ access requests or legal retention limitations. In fact, a central pillar of the GDPR framework is the “accountability” requirement, which starts with identifying, inventorying, documenting and systemising personal data flows in the organisation. Record keeping of data processing, known in industry jargon as the “Article 30 requirement”, is offered by a slate of startup tech suppliers and a cottage industry of consultants, which can help you prepare.
Second, devise and implement a data retention plan. Privacy professionals always say that data minimisation is the organising principle of data protection. Don’t collect data if you don’t really need it. Don’t keep it unless it is absolutely necessary for a legitimate business purpose. Indefinite or uncontrolled retention of structured and unstructured data is a common source of privacy mischief. Records management may not be glamorous, but it is an increasingly crucial business function in a world of big data, and privacy and security risks. Data retention schedules are tedious and complex, often integrating requirements from dozens of laws and regulations. They are also closely linked to security practices. For example, even if records of past transactions have to be kept for many years to protect against potential legal claims or to facilitate tax audits, access should be restricted to only, say, the general counsel and not to operational product teams.
Third, set forth and update data protection statements and policies. Even more than previous privacy laws, the GDPR requires a long list of information disclosures to be made to consumers and employees. Accordingly, some of the policies are external facing and others internal. Make sure disclosures are comprehensive to avoid undermining the validity of consumers’ consent. Also, make sure data protection obligations are present in, and propagated through, supplier agreements to prevent corporate policies from being undermined by external service providers or outsourcing suppliers.
Fourth, conduct risk assessments and, where appropriate, data protection impact assessments (DPIAs). While it is long and detailed, the GDPR is also modular, scalable and risk-based. Not all the obligations apply to every company, and even generally applicable requirements do not apply the same way across the board. As an economy-wide, cross-sector regulatory instrument, the GDPR recognises the difference between a data breach involving only individuals’ names and job titles and one leaking patients’ genetic records. For high-risk activities, the GDPR requires companies to perform a DPIA. This means going through a structured process of identifying, documenting and sometimes reporting the likelihood and severity of privacy risks for individuals as well as measures of mitigation that the company intends to take.
Fifth, appoint a data protection officer (DPO) and, where necessary, a European representative. The GDPR’s requirement for the appointment of a DPO is fairly broad. Estimates vary, but research generally shows tens of thousands of organisations will have to have one in place. Being a DPO is not something an HR or IT professional can do off the side of their desk. The GDPR requires DPOs to have “expert knowledge of data protection law and practices” and the ability to fulfil their tasks practically. This clearly calls for professional training and, optimally, certification. Also, a DPO must “report to the highest management level” of the company and yet have sufficient independence to stand up for consumer privacy rights. Businesses that do not have a European establishment but are subject to the new law will also have to appoint a local representative who will serve as a liaison with regulators.
Sixth, prepare the technologies, systems and processes for respecting individuals’ data protection rights. One of the main, and most expensive, challenges of GDPR implementation concerns adapting existing systems to comply with a long list of existing and newly established individual rights, including the now-famous right to be forgotten as well as rights of individual access, rectification, revocation of consent, portability and more. It is one thing to establish a legal or compliance team to address GDPR challenges; it is quite another thing to engage product engineers, CISOs and CIOs, IT teams and additional corporate functions to configure existing systems and create new processes for respecting individual requests.
Finally and most importantly, recognise that GDPR compliance is always a work in progress. It is practically impossible to be fully compliant with a wide-ranging set of obligations that apply to virtually every organisational process across departments and geographical locations. In line with the accountability approach, regulators are likely to allow businesses some leeway to adjust to the new framework and for best practices to emerge, as long as companies can demonstrate a serious, methodical approach to GDPR implementation. It is not too late to start.