GDPR compliance: Identifying an organization’s unique profile
After a two-year transition period, the General Data Protection Regulation (GDPR) becomes enforceable beginning 25 May 2018. Presumably, many large companies have been working on a compliance program for months now. As the deadline approaches, many organizations are finding that ensuring compliance is a more complex endeavor than they had initially expected.
GDPR replaces the 1995 Data Protection Directive (Directive 95/46/EC), and the new regulation imposes a substantial increase in requirements, reflecting major technological changes over the last two decades and mounting concerns about the vulnerability of personal data.
While it’s worth noting that fines for non-compliance among enterprises can reach up to 4% of an organization’s annual worldwide turnover – an estimated $480 million for the average Dow Jones-listed company – it’s also important not to allow fear and uncertainty to cloud the planning and decision-making surrounding GDPR. Internal disputes about which controls are most practical, where to direct resources, and who will be held accountable for the design and management of the compliance program will only add to the complexity.
Incorporate diverse perspectives from key stakeholders
In this context, cooperation among business unit leadership is vital to the success of any effort to design and implement an effective compliance initiative. In particular, legal, IT security, privacy and information governance functions must all be closely aligned as the process moves from the planning, scoping and design phases to implementation and ongoing management of the program.
Compliance will need to encompass IT systems, staffing, policies and contracts, but organizations should avoid the trap of relying on IT expertise exclusively. It is imperative that creators of successful GDPR compliance programs incorporate viewpoints from key stakeholders across the organization.
Match solution design to your unique risk profile
Apart from fostering cooperation and collaboration among stakeholders and business units, how should companies be responding? A measured approach is probably best for most organizations. Understanding where your company’s biggest GDPR risks lie is critical. Start by looking at situations where your company is collecting and/or processing personal data for consumers based in the EU. If your company’s core business involves processing such information, your risk will be far greater than the risk for organizations engaged primarily in B2B transactions and not marketing products directly to consumers.
If you establish protocols for recording processing activities as required by GDPR, you will be able to identify security and process gaps that will require remediation. Vendor-driven templates and methodologies, often accompanied by large teams of consultants, are likely overkill, and may be poorly matched to the unique needs of individual organizations.
Few companies need massive, expensive, world-class solutions. Instead, develop a logical approach that is customized to your organization’s unique risk profile. It is entirely possible, and eminently practical, for most organizations to distill GDPR compliance to a set of core, actionable components while leveraging existing data protection capabilities and management processes.
Prioritize core requirements
Let’s take a look at new requirements and restrictions that should be priorities in most compliance programs. Under the new regulation, companies must:
- Identify and clearly document any activities related to the processing of personal information of EU data subjects. This must include establishing a lawful purpose for each processing activity.
- Ensure that you provide adequate notice to data subjects at every point personal data is collected, advising them of what data is being gathered and stating exactly how it is being processed.
- Be prepared to respond to data subject access requests (DSARs) and other assertions of rights by EU residents. GDPR imposes a 30-day time limit to respond to a request.
- Develop a process for conducting privacy impact assessments – a formal analysis of data protection and impacts on individual privacy rights– with the introduction of any new business process or system.
- Safeguard personal data transferred outside the EU via adequacy, consent, binding corporate rules or other contractual provisions.
- Scrutinize access controls, encryption, pseudonymization and technical security measures for protecting personal information under the company’s control.
- Notify an EU data protection authority within 72 hours of a security incident that compromises personal information of an EU citizen.
- Appoint a data protection officer responsible for regular and systematic monitoring of data protection efforts, as well as for internal education and training and compliance audits. This person will also be responsible for communications between the company and GDPR Supervisory Authorities, as well as communications with data subjects. This requirement applies to any organizations that possess particularly sensitive data, or that process and/or store large volumes of EU personal data, regardless of whether the subjects are employees or individuals outside the organization.
Understand the steps to developing a defensible plan
First of all, review the new regulations and make sure that your team of stakeholders is aligned on key definitions and interpretations.
Next, create a detailed map of your organization’s data. You will need to have a thorough understanding of how all EU personal data flows through your systems, where it is stored and who has control over it. We recommend you document processing activities by using automated survey tools, but also by utilizing input from internal stakeholders. It’s essential to account for any third-party vendors in this mapping exercise. As you proceed, your team should rigorously review data retention policies for structured data sources like CRM systems, personnel records, marketing databases, etc. Many organizations keep far more personal data than is justified by the business value of doing so. Companies will also want to identify and document processing activities using automated survey tools and formal input from stakeholders to identify EU personal data and map locations of protected data types.
As part of this process, be sure to identify any unstructured data sources like email. With regard to email, companies will want to take steps to make individual users aware of the risks associated with retaining and sharing the personal data of EU subjects, and the potential consequences for companies and individuals alike when that information is not rigorously protected. Many companies will want to consider encryption, pseudonymization and/or email monitoring to bolster security protocols.
After mapping, it’s time to develop a comprehensive written plan. We urge organizations to view GDPR compliance planning as an opportunity to thoroughly revisit the full range of their existing security controls with respect to personal data, and identify gaps and weaknesses. This includes scrutiny of functions like access controls, patching and vulnerability management. The plan must also account for incident detection and response capabilities. Also, don’t forget to review vendor and other business contracts for GDPR compliance, and promptly negotiate new terms, including any necessary data processing agreements.
Note that new GDPR reporting requirements include a provision requiring organizations to provide regulators notification of a breach within 72 hours. If you don’t already have a detailed plan for incident response, you will need to develop a defined process that spells out exactly how internal stakeholders will be notified and by whom, who will contact the regulator and how, and when and what to tell customers. Again, the details of these and other protocols are difficult to standardize across diverse organizations and will depend to a large extent on your company’s unique risk profile.
To get a more comprehensive understanding of potential risks, many companies will find it useful to conduct a Privacy Impact Assessment (PIA). This is a formal process to evaluate an organization’s ability to meet legal, regulatory and policy requirements for privacy, identify and assess potential risks related to personal data, and propose specific measures to manage those risks. Hiring a Certified Privacy Professional to review existing documentation and recommend new or additional policies may also expedite the planning process.
Compliance also requires that you create a process for responding to requests from EU data subjects to access, modify or delete their personal information. For many organizations, it might make sense to fulfill this obligation through use of a qualified third party rather than imposing an additional burden on internal staff.
Finally, a critical – and often neglected – component of an effective compliance program is employee education and training. You must ensure employees have a clear understanding of the company’s obligations and risks with respect to GDPR regulations. Conduct executive briefings throughout the planning process. Develop and implement a privacy training program that is tailored to your information and security systems, your risk profile and your company culture. And make sure everyone participates.