Just in time for the one-year anniversary of the EU’s General Data Protection Regulation, a panel of compliance and privacy officers at Compliance Week 2019 shared their experiences on how they prepared for the GDPR, the challenges they faced along the way, and where they continue to find opportunities to enhance their data protection programs.

The GDPR, which took effect on May 25, 2018, established a harmonized set of regulations across the European Union that govern how companies collect and process the personal data of European citizens. At its heart is a fundamental shift in the rights of data ownership; all EU citizens are considered by default to be the owners of their own personally identifiable information, and companies can only use it with their permission.

Having to prepare for these sweeping changes, however, continues to be a daunting task for many companies. According to a poll conducted during the GDPR panel discussion, 20 percent of attendees said they’ve started GDPR implementation but are behind, while another 14 percent said they haven’t started at all. Fifty-four percent said they believe they are substantially complete.

GDPR graphs

“Different business structures certainly lend themselves to taking a different first step,” said Avi Spira, chief compliance, risk, and privacy officer at FujiFilm Holdings America, who spoke on the panel. FujiFilm Holdings America, for example, is comprised of 21 affiliate companies across North America and Latin America, and each of those companies is very different in terms of the vendors with which they engage. “So, the first step was pulling together a team of trusted advisors,” he said, “and getting a grip on the company’s data profile.”

Data mapping is an essential part of that process. The purpose of data mapping is to understand what personal data the company is transferring from the European Union, the data subjects to whom the personal data belongs, where the data sits within the company, and who has access to it—both internally and externally, including vendors. Data subjects may include, for example, current and potential EU customers, employees who reside in the European Union, or EU citizens who visit the company’s Website.

“If you don’t understand all those things, you cannot adequately protect the data as required under GDPR,” said Laura Martino, associate general counsel, compliance and privacy at Global Jet Capital, who also spoke on the panel. “Data mapping really set the foundation for some of our other activities,” she said, including drafting policies and procedures, as well as drafting revised vendor agreements.

Data mapping is an essential part of crafting revised privacy notices, for example. “The purpose of [a privacy notice] is to let data subjects know how we use the data, the types of data we collect, who has access to it, and for what purposes we’re collecting such data,” Martino said. “You can’t form a policy unless you engage in that degree of data mapping.”

GDPR graphs2

Another step toward becoming GDPR compliant, Martino said, was supporting vendor management. That meant understanding what data vendors have, what data they touched, “and how we manage that risk,” she said.

Beyond GDPR compliance, data mapping is simply good internal hygiene. “Doing that deeper dive was really important because without doing it, we actually would not have known where a lot of the data we had resided,” Spira said.

Martino stressed, however, that data mapping is a living, breathing process. “You open up a Pandora’s Box after you’ve done your data mapping,” she said.

New vendors will continue to be onboarded. New products will be rolled out. Mergers and acquisitions will occur. “Data mapping is a snapshot in time,” Spira said.

Unexpected challenges

During the panel discussion, Martino and Spira also spoke about the unanticipated challenges of becoming GDPR compliant. “I had to mobilize people and really establish credibility pretty early in the process,” Martino said. “That was one of the challenges in this: getting folks to cooperate fairly quickly.”

A second unanticipated challenge, Martino said, was having to establish a data mapping process to better track vendors and vendor contracts. “We didn’t really have an internal process for data mapping through which we identified who are vendors were, what kind of data they were collecting, and tracking that,” she said. “I can’t ask them to sign and execute a security addendum if I can’t say with certainty what kind of contracts we’ve already signed in the past.”

Determining which vendor contracts needed review—among a large universe of them—required first understanding which ones touched the data of EU citizens and, thus, posed a high risk. That required approaching various functions to understand what data they were handling, Martino said. “Once we dealt with that backlog and legacy vendors, there were already new vendors that were onboarded,” she explained.

Since then, a new process has been baked into the company’s AML/KYC onboarding due diligence process, which now tracks through each relationship keeper of vendors what data the vendor has access to. “Now I have to negotiate all these contracts and will continue to do so,” Martino said. “It’s not over. It has just begun.”

GDPR graphs3

When you start turning over rocks, you find things hidden underneath. When FujiFilm was moving toward GDPR compliance, for example, it was discovered that “we were engaging in legacy activities that no longer made sense,” Spira said, “so we were able to curb certain activities.” That added value well beyond GDPR, he said.

More to come

Some states in the United States are forging ahead with their own versions of the GDPR. California, for example, will become the first state in the nation in 2020 to enact a law that, in large part, mirrors the stringent data protection and privacy requirements of the GDPR.

Specifically, the California Consumer Privacy Act (CCPA) gives California residents several new rights over their data, including the right to request information about the sources and purposes of the personal information collected, the right of deletion of personal information, and the right to “opt-out” of the sale of their personal information. It’s just one more privacy law that most companies say they are not prepared for, according to a recent survey of privacy compliance professionals conducted by Compliance Week and TrustArc.

“I do think that some of the efforts that we have undertaken to prepare for GDPR will lend themselves to better understanding of what might be required under state laws and prepare us for more sweeping federal legislation in this regard,” Martino said. “For companies that did not have to worry about GDPR, this is going to be an immense learning curve.”

A good starting point for all companies is to realize the risk and not keep your head in the sand. “Most companies out there don’t think of themselves as a data company—but we’re pretty much all data companies,” Spira said. “It’s just a question of to what extent.”

Even among companies that are not concerned about the GDPR because they do not do business in the European Union, it’s still important to understand “where the business is moving and the evolution of your business, because if you have a new business plan to engage in Europe in some way, shape, or form, this is not just a simple check-the-box exercise,” Spira said. “It would be a crisis moment where if you’re not prepared for it, it’s going to get really ugly.”