Ready or not, the EU’s General Data Protection Regulation takes effect on May 25, 2018—less than two months from now. While some are rushing to meet this fast-approaching deadline, forward-thinking companies have been preparing for quite some time—and it is through their experiences that others can gauge their own GDPR readiness.
The GDPR marks the most sweeping changes to EU data privacy laws in more than 20 years, creating a harmonized set of regulations across the European Union that govern how companies collect and process the personal data of European citizens. At its heart is a fundamental shift in the rights of data ownership; all EU citizens are considered by default to be the owners of their own personally identifiable information, and companies can only use it with their permission. While meeting the compliance obligations of GDPR is no easy task, some companies say they are embracing it as an opportunity to enhance their data protection programs.
“It’s really an opportunity for us to position privacy as a business enabler and a differentiator,” Loretta Marshall, senior regional counsel of privacy and data protection of global payments and technology company Mastercard, said on a recent GDPR Webinar.
At Mastercard, for example, privacy and data protection are at the core of its business model. “We have quite a robust data protection program in place, with a team of more than 40 privacy professionals,” including lawyers, data governance specialists, risk managers, data strategists, and communications experts, Marshall said, “and we all work together globally to make sure we’re in compliance with the GDPR and with all other global data protection laws.” Mastercard is fortunate to have the strong support of senior management, which is also key, she said.
Overall, the GDPR provides an opportunity to have an open dialogue, to talk and think a lot more about the potential impact on changing a product or service or what it would mean for a certain market, Marshall said. It’s more than thinking about changes in processes; it’s also thinking about differences in approach, she said.
With opportunities, however, come compliance challenges. Below is a look at some of the biggest compliance challenges and how companies are tackling them.
Data maps. Legal executives in the privacy space agree that one of the biggest challenges to being, and staying, GDPR compliant are data map exercises, and specifically keeping up with ever-changing products, service offerings, and systems. As time goes on, little changes that creep into systems and service offerings that may not necessarily strike the business as significant can make a big difference from a data protection standpoint, said J. Andrew Heaton, global lead counsel of data privacy and security at EY.
Because fines for non-compliance under the GDPR are so severe (up to four percent of total annual global revenue or €20 million (U.S.$25M), whichever is higher), “it becomes even more important for us to keep up with that sort of thing,” Heaton said. Specifically, it’s important from a compliance standpoint to have processes in place to keep on top of any developments in products, service offerings, and systems.
That’s no easy task for any company. At Mastercard, “this has required a really big effort,” Marshall said. Because Mastercard authorizes, clears, and schedules card transactions on behalf of banks, it’s those card numbers that need to be protected in accordance with global data protection laws. At the same time, however, certain business lines within Mastercard collect and process more data than others—in the context of a marketing initiative or loyalty rewards program, for example.
To tackle this compliance hurdle, each business line was asked to provide a data map, documenting all the personal data it handles for each product or service. “We now have 122 data maps covering all our products and services and systems, which double up as our records of processing, should a [data protection authority] ever ask us about how we handle data,” Marshall said.
Mastercard has also created an automated data inventory to track in real-time what data it has, on which platform it is stored, and what restrictions exist for each data point. “Although it was a challenge to pull this all together, it has brought us to a much better place and has allowed us to address a lot of questions around GDPR,” Marshall said. Furthermore, Mastercard and IBM on March 15 announced the launch of Truata, an independent trust designed specifically to enable companies to analyze their data while complying with the privacy and data protection requirements of the GDPR.
Privacy-by-design is another aspect of GDPR that companies are working to operationalize. The GDPR makes privacy-by-design an express legal requirement, mandating that data protection and privacy controls be considered from the outset.
Mastercard, for example, has developed a checklist to help business lines make decisions about what data they collect and process. “This is something we’ve been working quite hard on within the different business lines, so that they have tools to think about what GDPR means in their different business areas,” Marshall said.
“It’s really an opportunity for us to position privacy as a business enabler and a differentiator.”
Loretta Marshall, Senior Regional Counsel, Privacy and Data Protection, Mastercard
As part of that checklist, business lines are encouraged to think about how long they need the data; who has access to it; and in which systems the data is stored. They are also encouraged to think about best practices around data minimization, security measures, de-identifying data where possible, and instances where card numbers can be replaced with tokenization.
The marketing business line, specifically, is encouraged to think about what is meant by embedding privacy into the design of marketing products and services to anticipate and prevent potential privacy threats, Marshall said. They are encouraged to think about what data they really need, or whether the product or service can function without a particular data field. “If the answer is ‘yes,’ the follow-up question is, ‘do you really need it?’ We would say, ‘no, that’s not the case.’ ”
Data protection officers. Companies are also grappling with whether they need a data protection officer (DPO), and who should serve that role. The GDPR states that companies whose “core activities” include the processing of “special categories” of personal data on a “large scale” must designate a DPO. That DPO will be the single source of contact for the supervising authority and will be required to advise upon, and maintain, compliance with the GDPR.
Moreover, the GDPR specifies that the DPO have “expert knowledge of data protection laws and practices,” but does not define what that means. Such uncertainty has generated a lot of back-and-forth debate as to whether the appointed DPO needs to be a lawyer.
“There is the potential for conflict between the DPO and other positions,” Heaton of EY said. “We concluded that we didn’t want a general counsel of a member firm or region serving as the DPO because of the potential for conflict. We thought it was best to keep the DPO from having to be in a defensive posture.”
Others have questioned whether the DPO can also be the chief information security officer (CISO). Nothing says that the DPO cannot also be the CISO, so long as the DPO is the required expert knowledge of data protection laws and practices, and “so the CISO should meet those requirements,” Heaton said.
Another debate is where the DPO should sit in an organization, a decision that is dependent on the makeup of each firm. Global payment technology solutions company First Data, for example, already had a DPO in place as a requirement under German law. “What we will do is appoint one single DPO for our group of companies,” said Jennifer Showers, GDPR compliance program director at First Data.
Whether to appoint a single DPO for the firm’s worldwide operations was something EY considered very carefully. “It was one of the most difficult issues we had to confront,” Heaton said, “We ultimately concluded that, because of our member-firm structure … it would not be appropriate for us to mandate a single global DPO.”
Instead, what was decided was to give all the member firms the option to appoint a DPO either at the member-firm level or at the regional level, he said. Also, EY has decided “to appoint a single DPO for our central entities, our global governance organizations,” he said.
Any country that wishes to appoint the central entity DPO as their own DPO will be allowed to do that as well, with the caveat that the local country must appoint a member of their local team to work along with the central entity DPO. “So, it’s a kind of mix of a centralized and decentralized model. “We are going to keep our eye on the market and see what other businesses are doing, what our competitors are doing. If we need to change it going forward, we’ll do that.”
Breach notification. Breach notification is another major change for global companies with operations in countries where such requirements currently are not in place. This is quite different than the United States, where U.S. companies have had breach notification processes set up for quite some time.
Moreover, the breach notification requirements under GDPR are quite different than what is required in the United States. Under the GDPR, data controllers must report a data breach to the supervisory authority within 72 hours after having become aware of it. In practical terms, that means systems will need to be looked at and revamped to comply with a much shorter response time.
In some respects, meeting the compliance requirements of the GDPR can be achieved by leveraging the expertise spread throughout the global network. At EY, “we’ve tried to leverage the various knowledge we have in various countries in order to try to get the rest of our network up-to-speed and on board,” Heaton said.
With the breach notification requirements, for example, EY has leveraged its U.S. team, “which is extremely well-versed in this and already has systems set up in many cases,” Heaton said. EY has built a single global tool to track and handle breach incidents, in which people can put something directly into the tool in the event of an incident; the tool also enables the business to track responses and deadlines, “so we’ve tried to centralize as much as we can,” he said.
As another example, with respect to subject-access rights, such as data portability and the “right to be forgotten,” “our U.K. practice had far and away the best subject-access rights program,” Heaton said, and so the business was able to leverage their expertise for that area.
Finally, for many companies, GDPR compliance is all a matter of adjusting to a whole new way of doing things. Said Heaton, “We’ve had to change the mindset of some of the people in the United States from a mindset of wanting to get all the facts together before we notify anybody about anything to a mindset of, ‘Look, you’re going to have to notify before you know everything, and you have to figure out a way to deal with that.’ ”