Companies that collect or process personal data on citizens in the European Union have just over one year now to comply with one of the strictest data privacy laws in the world. But how to prepare and where to begin still has many companies flummoxed.
On May 25, 2018, the EU’s General Data Protection Regulation will take effect. Designed to bring EU data protection laws into the digital age, the GDPR replaces the EU Data Protection Directive, enacted in 1995, marking the most sweeping changes to EU data privacy laws in more than 20 years. The result is a harmonized set of rules across the European Union.
Unlike the previous EU data privacy landscape, however, the global scope of the GDPR’s application is far more significant. Whereas only companies physically located in Europe could be found liable for data privacy violations under the Data Protection Directive, the GDPR, in comparison, makes any company—even those outside the European Union—liable so long as it offers goods or services to individuals in the European Union, or if it monitors the behavior of EU citizens.
The scope of European data protection laws has been expanded in another significant way, as well: Whereas the former Directive applied only to data controllers (those who collect and own the data), the GDPR jointly holds liable data processors (essentially, third-party vendors).
Some tech innovators, however, see the business value in the GDPR compliance. U.S. multinational technology companies “should view the GDPR as a huge opportunity,” said Robert Feldman, deputy general counsel at global software company Citrix, during a recent Compliance Week webinar on GDPR compliance.
Software companies that can showcase to customers their privacy program and communicate how they can help their customers enhance their own privacy compliance programs can gain a competitive advantage. “It creates an opportunity to build trust with customers,” Feldman said.
“We are getting daily questions from internal and external sources about our readiness plan,” Feldman added. Communication with both internal and external stakeholders is a big piece of GDPR readiness, he said.
For other companies, the GDPR is a compliance nightmare. Broadly speaking, it requires greater oversight of where and how companies store and transfer personal data and how access to data is monitored and audited.
U.K. Information Commissioner Elizabeth Denham described the GDPR as “an evolution, not a revolution, of laws.” The United Kingdom, for example, has had strong data protection laws in place since enactment of the Data Protection Act in 1998.
“The impact on businesses depends on how much work they have done to comply with the current regime,” Denham told the House of Lords EU Home Affairs Sub-committee in March. “If a company has not been doing anything for the last 10 years on data protection ... the resource implications are going to be larger.”
For companies that have not upgraded their data compliance programs, now is the time to start, so they might be GDPR-ready by May 2018.
“The impact on businesses depends on how much work they have done to comply with the current regime.”
Elizabeth Denham, U.K. Information Commissioner
Build awareness. Employees are at the core of a holistic data privacy program. Under the GDPR, certain companies will be required to appoint a data protection officer (DPO) independent from the organization whose tasks will include, in part, “awareness raising and training of staff involved in the processing operations,” the GDPR states.
Thus, one of the first steps toward GDPR readiness is to identify whether the company engages in any data processing activities described under Article 37 that require the appointment of a DPO, said Amanda Chandler, global privacy manager at telecommunications company Vodafone Group Services, during the webcast.
If a DPO is required, the company must then decide who will fill the role, to whom that role will report, and where that role will sit within the organization. Analysis conducted by the International Association of Privacy Professionals (IAPP) found that as many as 75,000 DPO positions will be created around the globe in response to the GDPR.
If a DPO is not required, then companies should designate an individual with responsibility for data protection compliance, per guidance published by the Information Commissioner’s Office (ICO), Britain’s data privacy watchdog. “The important thing is to make sure that someone in your organization, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support, and authority to do so effectively,” the guidance states.
All employees must receive global privacy awareness training. Such training should focus less on the law itself and more on the basics: What is personal data? Why should employees care about data privacy? What are their responsibilities in protecting said data?
Map your data. “Understanding what personal data you capture and where you capture it is absolutely essential,” Chandler said. Without a firm grasp on what data you have and where it’s located, compliance with the GDPR will be impossible.
One reason for this is that the GDPR includes a “right to be forgotten” clause, which requires companies to scrub personal records from all company systems upon request, and then prove that the information has been deleted permanently. Individuals can request that their personal data be erased “without undue delay” when it’s no longer needed for the purposes for which it was collected or processed, or if individuals withdraw consent or objects to the processing, and there are no legitimate or lawful grounds for retaining the data.
Never keep personal data just because it could be of interest in the future, Chandler said. Keep only the data you need now.
The GDPR also establishes a right to data portability, allowing individuals to request, where technically feasible, that data controllers transfer personal data to another service provider. Putting processes in place for meeting these requirements are also important: How will those requests be received? Who will be tasked with responding to those requests? How will personal data be erased following such a request?
PREPARING FOR GDPR
The U.K. Information Commissioner’s Office outlines 12 steps to take now to prepare for the EU’s General Data Protection Regulation.
Awareness. You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Information you hold. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Communicating privacy information. You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Individuals’ rights. You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
Subject-access rights. You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
Legal basis for processing personal data. You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
Consent. You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
Children. You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
Data breaches. You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data-protection-by-design and data-impact assessments. You should familiarise yourself now with the guidance the ICO has produced on privacy impact assessments and work out how and when to implement them in your organisation.
Data protection officers. You should designate a data protection officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
International. If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
A recent study conducted by Veritas suggests, however, that many companies don’t have confidence in meeting these requirements. Forty-two percent of 900 senior business decision makers surveyed said they do not have a way to determine which data should be saved or deleted based on its value. Additionally, 39 percent expressed doubts about being able to accurately identify, locate, and manage personal data during a search.
One way to overcome this compliance hurdle is to divide and conquer. Organize an internal taskforce made up of stakeholders from across the business—management, IT, security, legal, compliance, marketing, HR, and finance—and across geographies to figure out how to map all that data.
The GDPR readiness is a large-scale, cross-functional, compliance project that requires the time and investment of all key functional areas. “It cuts across the business,” Feldman said.
Conduct a gap analysis. The fundamental concept of the GDPR builds on existing data protection principles of fairness, transparency, proper data management, and information-security management, so building upon an existing privacy program is a good starting point. Assess what privacy practices the company already has in place in comparison to what new policies the GDPR mandates, “and have sensible, timebound action plans for filling those gaps,” Chandler said.
For example, review how the company seeks, obtains, and records consent, and whether changes need to be made. Under the GDPR, data controllers must be able to demonstrate that consent was given. “You should, therefore, review the systems you have for recording consent to ensure you have an effective audit trail,” the ICO guidance recommends.
Make privacy by design automatic. The GDPR also now makes privacy by design an express legal requirement, mandating that data protection and privacy controls be considered from the outset. The ICO guidance recommends that companies familiarize themselves with another guidance it has published on Privacy Impact Assessments (PIAs) and assess how to implement one. “This guidance shows how PIAs can link to other organizational processes, such as risk management and project management,” the guidance states.
Data breach response. Under the GDPR, data controllers must report a data breach to the supervisory authority within 72 hours after having become aware of it. Where such notification cannot be achieved within this timeframe, “the reasons for the delay should accompany the notification, and information may be provided in phases without undue further delay,” the GDPR states.
“You should start now to make sure you have the right procedures in place to detect, report, and investigate a personal data breach,” the ICO guidance states. “This could involve assessing the types of data you hold and documenting which ones would fall within the notification requirement if there was a breach.” The limited timeframe to report a data breach also speaks to the importance of implementing a GDPR tool for automating assessments and tracking incidents.
Penalties for non-compliance are severe, which is another significant driver of the GDPR compliance. Companies that don’t meet the new requirements can face fines up to four percent of total annual global revenue or €20 million (U.S.$21.5 million), whichever is higher. In comparison, the ICO currently levies a £500,000 ($640,000) maximum fine.
“The stakes are higher now,” Feldman said. “The visibility that the GDPR has brought to privacy is causing U.S.-based companies to take a take a hard look at their existing privacy programs, which may have had gaps for many years.”
For privacy professionals, the enhanced penalty provisions come with a silver lining. “This is a real opportunity to demonstrate to their business the value that they bring,” said Chandler of Vodafone. Often, the success of a privacy professional is measured by the absence of a data breach, she said.
The GDPR makes that no longer the case. Having to demonstrate in a “clear, robust, and methodical way” the policies that are in place and the processes that are in place to deliver those policies, Chandler said, will help privacy professionals “become more visible within the organization as an integral part of enterprise risk management.”