As we discussed here and here, the new General Data Protection Regulation (GDPR), is scheduled to become effective May 25, 2018. It represents the most important change in data regulation in 20 years, and it applies to any company that collects or processes the personal data of EU data subjects – EU residents and visitors alike. Although this regulation cuts across all industries, it is likely to have the biggest effect on those industries that are global in nature – hospitality, pharmaceuticals, retail, financial services, and aerospace and defense.
Companies in the U.S. and elsewhere have just under 9 months to comply with the new regulation, and compliance departments are scrambling to develop their compliance programs. A poll of participants in a Protiviti webinar on July 18 found that a little more than a third (36 percent) of companies have programs underway, with an additional 25 percent planning to begin within the next six months. Still, this leaves almost 40 percent of companies nowhere near getting ready to meet the 2018 deadline!
Where to Begin?
The best place to begin is with developing a data inventory – a reference document that provides a concise summary of all important aspects of an organization’s use of personal data. The data inventory serves as the GDPR’s Article 30 “Record of Processing Activities” document, and is a trusted source for any information about the use of personal data in a company.
This process of developing the data inventory involves determining which customer or employee data is subject to the GDPR, where that data is stored and processed, and whether it is passed on to any third parties, including cloud service providers. Subsequent to the creation of the inventory, a company should compare the many specific requirements, such as data subject access rights, breach notification and information security, to its current capabilities and document the gaps for remediation. That remediation process should prioritize high-risk operations, applying controls that are calibrated for that risk.
Special attention should be paid to third parties that are processing a company’s data (vendors or others) – they are essentially held to the same standards as the companies themselves. Based on our experience so far, this is likely to consume at least 40 percent of companies’ time and resources related to the GDPR assessment during the remediation process. As a practical matter, for every known vendor relationship there are two more flying under the radar. Of course, vendors are going to be at their most accommodating during contract negotiations. For any new vendors, companies should get vendors to agree on the necessary accountability measures, such as analytic dashboards and audits, before they sign the contract. However, existing vendor agreements are likely to require extensive changes. Article 28 of GDPR provides a good laundry list of third party compliance requirements for reference. Technology should be deployed to enable visibility and track compliance metrics.
In developing their compliance framework, it is important for companies to keep in mind the key infrastructure elements: people, process and technology. From a people perspective, this means determining data ownership roles and responsibilities. Also, since many companies will need to hire data protection officers (i.e., all public companies as well as non-public companies that process personal data in certain special categories or that engage in large and systematic monitoring of individuals, such as big data marketing analytics, for example), competition for good people will be fierce, so this should be a priority early on. Even in cases where a DPO is not required, a data privacy manager needs to be appointed -– someone who is responsible for day-to-day privacy management.
Developing the GDPR program is not inconsequential, and it won’t be cheap. According to some estimates, one in four organizations with over 5,000 employees will invest more than $1 million in developing a GDPR compliance program. However, fines for violations are even higher.
To learn more, check out our series of planned roundtable discussions over the next three months in major cities throughout the United States. You can also subscribe to follow our blog for future GDPR-related blogs and announcements.