Getting ready for GDPR
What do Facebook, Uber and Delta Airline all have in common? All have been impacted by massive data protection breaches in the past 6 months which have resulted in millions of personal records being compromised. The news, when exposed, has resulted in damaging brand reputation and significant financial loss.
So why is Data Protection important, and what does it have to do with your business? What do you need to do to be ready for the May 25th, 2018 GDPR deadline? This article attempts to answer some of these important questions.
Below is a recap of the important points that you need to be aware of:
- GDPR comes into effect on the 25th May 2018 and there will be no transitional period as organisations have already have had over two years to adjust
- The GDPR fines are steep and can range up to 4% of annual worldwide gross revenue or up to 20 million euro depending on the category of violation
- Any organisation that conducts business within the EU that collects or processes personal data needs to be GDPR compliant. This is regardless of company location and also applies to any organisation that is outside of the EU but targets (‘sells to’), monitors or does business with individuals within the EU. This is regardless of company size and includes SMEs as well.
- One of the most fundamental aspects of the GDPR is the need to ensure that you have ‘explicit’ consent. This means that the individual providing consent must do an ‘explicit’ action to provide consent, such as ticking a box. This consent must be given for a specific purpose and must be presented in a manner which is clear, accessible, transparent and in plain language.
- The GDPR now has strict obligations for ‘processors’ of data, even though they may not be the controllers of the data. In the past, under the EU Data Protection Directive (95/46/EC), processors had limited obligations leaving them free from fines and responsibilities.
- The GDPR has strengthened the definition of processing, as well as expanded the definition of Personally Identifiable Information (personal data) including what constitutes sensitive or ‘special’ personal data. Under the GDPR, biometric data is now also considered sensitive personal data, resulting in new obligations for organisations that use biometric data for access control and authentication. If you collect or process any form of sensitive personal data your obligations are now stricter, such as the requirement to have a Data Protection Officer and conducting Data Protection Impact Assessments on high risk processing.
- GDPR also includes strengthened obligations around Technical and Organisational measures with stronger links to IT security practices. While there is no ‘silver bullet’ on what these measures are, they do require a more comprehensive view of physical and data security controls as well as implementing measures such as pseudonymisation, encryption, archiving, data deletion and minimization.
- GDPR is not about ‘ticking’ the boxes or a ‘one off’ inventory, it is about embedding strong privacy management practices across the organisation including training, awareness, policy and procedural changes and a clear understanding of process and risk areas where personal data can be exposed.
- GDPR brings with it a culture change in terms of how employees handle personal data. Employees need to think twice when they are processing personal data in day to day activities, such as the simple sending of an email with a resume to potential interviewers. Equally, organisations need to ensure that processes and controls are in place to protect all personal data.
As such, GDPR has now become one of the most significant global data security regulations with far reaching implications beyond the EU.
Given the above, you may be struggling with ‘how to start’ and ‘what to do’ to rapidly move up the GDPR maturity curve.
GDPR readiness is best done within the construct of a Data Protection and Privacy Framework. This will provide you will the right structures for your GDPR activities and will enable a strong framework for measuring compliance and implementation progress. There are 3 core aspects of a Data Protection and Privacy Framework:
- What are the measures that need to be put in place? Measures are those activities that are required to protect personal data, respect the rights of the individual and comply with the GDPR obligations. Over 45 out of the 99 articles within the GDPR translate to specific measures for compliance for a standard business. You need to define what activities need to be implemented to be GDPR compliant and these become your implementing ‘measures’.
- What records do you need to keep or evidence do you need to show to demonstrate compliance? The ‘accountability’ principle of GDPR sets out clearly that all organisations need to demonstrate compliance, no matter what size. Smaller organisations (under 250 employees) may have reduced reporting responsibilities based on their processing, however are still accountable for compliance. As such, ensuring that you are capturing, storing and reporting your ‘proof points’ is important. Approximately 40 of the GDPR measures above require evidence of compliance, this number changes depending on the size and nature of your business, however in general the more you monitor, the stronger your GDPR practices and maturity will be.
- It is essential to have clear accountability for GDPR, not only within the business areas where data is collected and processed, but also across the organisation. Most importantly clear accountability is essential at senior levels, ensuring regular reviews, dialogue, governance and reporting. Accountability also links to your GDPR implementation roadmap, outlined in more detail below, where you need to establish clear ownership for completion of tasks in the plan.
Once you have established your Data Protection and Privacy Framework, you will have a good understanding of what needs to be in place for your organisation – not only to become compliant but also to demonstrate a long term sustainable practice.
So where to start?
- First of all, you will need to baseline your GDPR compliance. This involves assessing and documenting the status of your GDPR compliance across your business processes, reviewing your policies and procedures, data, customer communication, consent language, contracts, governance and reporting. This will define your gaps and risks and you can then prioritise what needs to be done to address these gaps.
- Second, you need to develop a plan and assign ownership of the plan. You need to define what needs to be done to mitigate the gaps and risks. This might require embedding new procedures, reviewing consent language or mapping out data flows. These activities will comprise your roadmap, which should also include activities that ensure ongoing capability.
- Third, you need to keep a steady progress as you implement the various activities and deliverables. Put together a team to deliver on the plan with an engaged and accountable owner. Ensure that the team has the resources and support to ensure implementation. Establish how you will measure progress and report regularly to the senior team to ensure that roadblocks are addressed, and deliverables effectively implemented.
- Finally, you need to maintain and sustain your efforts to become GDPR compliant. This involves establishing key roles within your organisation, such as a Data Protection Officer or compliance roles matrixed in the lines of business. It also requires ongoing awareness, training and reporting and establishing ways of working such as embedding ‘data protection by design and default’, which means that data protection obligations are taken into consideration for all new projects and / or commercial relationships.
Companies with good data governance and data management practices, that are proactive can benefit from increased business, higher levels of consumer confidence and improved security.
GDPR Readiness is about a structured framework and its systematic implementation. It is about your ‘ways of working’ and needs to become an integral part of your business, it is all about good business practice.
Most importantly, it is about the fundamental rights and freedoms of individuals, to their protection regarding the processing of their personal data and your obligations to respect and protect this fundamental right.