The EU’s General Data Protection Regulation (GDPR), arguably the most comprehensive and ground-breaking privacy legislation to be implemented since the dawn of digital commerce, goes into effect in just 30 days. And your organization is not ready.
But you’re not alone. By the latest estimates, upwards of 60% of organizations subject to the GDPR will not be fully compliant by the implementation date of May 25th, 2018. And that number may even be a generous estimate: some polls and surveys expect that as few as 15% of organizations will truly be well positioned on May 26th.
The complexity, scope, and requirements of the GDPR are extensive, yet the GDPR is not prescriptive. It is a technology-neutral, principles based law and offers little practical guidance on how its accountability measures, reporting obligations, and data subject transparency requirements are to be achieved across various industries, sectors, and data processing activities.
With the GDPR on our doorsteps, what can be done in the next 30 days, as a minimum, to take a shot at getting close to GDPR compliant? What will be enough to keep most organizations in the “safe zone,” at least for the first few months after May 25th? What might a prioritized set of steps look like?
The following is a 6-point plan highlighting the essential ingredients that will keep most regulators at bay, at least for the time being. Those organizations that have already begun the compliance effort, as well as those wringing their hands over the initial first steps, should be able to make use out of these practical points.
1. Identify the “as is” scenario in your organization.
Sit down with your executive board, C-suite, and key stakeholders with involvement in personal data processing activities, including legal, IT, HR, and others. Determine what your strengths and weaknesses are with respect to privacy and personal data management. Involving an external data protection officer or seasoned privacy consultant can be helpful to guide the process at this stage, should your organization lack the expertise in-house. From there, consider approaches for best prioritizing the GDPR compliance effort, according to areas of highest risk for your organization.
2. Leverage existing standards and approaches for cybersecurity, information governance and risk management.
Most organizations may be pleasantly surprised to learn that existing operational controls for cybersecurity, information governance, and risk management can be repackaged and/or minimally redeveloped for the specific compliance requirements of the GDPR. Pinpointing the tools and approaches already deployed by your organization can save an enormous amount of time in constructing your GDPR compliance framework.
3. Data inventory and data mapping – the most critical aspect of compliance
Many organizations are continuing to struggle in identifying approaches for data inventory and data mapping under the GDPR. While data crawling and scanning tools can be helpful for the process, technology solutions geared for information governance, such as data indexing and classification software, can be far superior. Especially where petabytes of data may be concerned. Moreover, indexing and classification solutions can also be tailored for data disposition and streamlined data management, as well as serve as a means for meeting numerous other aspects of GDPR compliance, as well, including Art. 30 records, data protection impact assessments, subject access requests, procedures for the “right to be forgotten”, and more.
4. Vet 3rd party vendors – perhaps the most labor intensive, and critical, aspect of GDPR compliance
GDPR requirements and obligations extend to both controllers and processors. Accordingly, third party vendors and contractors processing EU personal data on behalf of your organization must be rigorously evaluated for GDPR compliance. The vetting process should be thorough, well developed, and exacting, and may require renegotiating service agreements, in addition to rewriting or revising existing contracts. For organizations working with scores or potentially hundreds of third party processors in some capacity, the vetting process can be an enormous undertaking, and should be launched immediately. Developing a standard GDPR compliance questionnaire required for all existing vendors and contractors can be an effective way to start.
5. Focus on data protection impact assessments – a priority for EU regulators
As third party compliance above, data protection impact assessments (DPIAs) are a compliance priority and potential low-hanging fruit for regulators: an audit or regulatory assessment under the GDPR will likely start by examining these elements. They are the essential elements to show that EU personal data collection and processing activities have been examined, evaluated, and properly considered under the new regulation. A DPIA template developed in coordination with your data protection officer or privacy lead will be a useful way to begin. The template will ideally be tailored specifically for your organization and processing activities, and should be a living document, tailored according to shifting areas of risk and business focus.
6. Training and awareness
Training and awareness will be an immensely important piece of the regulatory compliance puzzle. The GDPR, by its very nature, necessitates a multidisciplinary approach to compliance, requiring collaboration with legal, IT, HR, and other stakeholders involved in the processing of EU data. Develop GDPR training and awareness programs for employees and staff across all departments, and include specific indications as to what each staff member can personally do to mitigate data breaches and regulatory risks (by adequately identifying a phishing email, for example). Make the training engaging and interesting, but keep it brief and to the point. If possible, integrate the training into the new employee on-boarding process, as well.