On May 25, the General Data Protection Regulation (GDPR) goes into effect. At least one-third of organizations are still not ready for it, and far too many are dropping GDPR compliance responsibilities at the feet of their IT departments, mistaking it for something that can be addressed wholly with technology instead of with governance leading the way.
One thing that’s clear is that this broad and complex data protection regulation has organizations worried, and with good reason. It applies globally, as the scope is focused on the processing of personal data of individuals in the EU, regardless of where the processing takes place. It also comes with the potential for never-before-seen financial penalties, which can rise to 20,000,000 EUR or up to 4 percent of an undertaking’s total worldwide annual turnover of the preceding fiscal year, whichever is higher.
If you’re not ready, you’re likely in good company. First and foremost, don’t panic. Continue working methodically and comprehensively in order to avoid getting tangled up in the complex requirements. If panic does start to set in, go back to the fundamentals in order to find your way forward:
1. Read the regulation. Then read it again. It is 99 articles of requirements. Go through it carefully to understand the many ways in which your business may be impacted. Take note of the broad definition of personal information, what is considered a special category of data, and what areas of your business might be working with such data. Make a list of the policies, processes, and agreements you may need to create or update.
2. Map your data. Know where your data comes from, where it is stored, how much you have, and where it goes, so that you can understand your risk footprint and apply the proper protections throughout the data life cycle. Ensure that you have the necessary agreements in place within and outside of your organization for processing the data, and that you have conducted the appropriate due diligence on your third parties and any necessary privacy impact assessments.
3. Check your consents. Under what authority did you collect the data? GDPR requires that you have a “lawful basis” for processing the data.
This might be explicit consent (unbundled, unambiguous, opt-in, as easy to withdraw as it is to agree, etc.), performance of a contract, or one of a few other specific allowances. If you do not already have what GDPR considers to be a lawful basis for the data, get it now.
4. Be prepared to respond. Under GDPR, individuals have the a wide range of rights around their data, including the right to access and correct their data, restrict processing, obtain a copy of it in a “machine readable” format, or request that their data be deleted. You’ll have 30 days to address requests when they come in, unless they are so complex or so voluminous that some (limited) extra time is needed. Make sure you are ready to handle them.
5. Take stock of other requirements. Appropriate security and incident response procedures, data minimization, data protection by design and default, privacy impact assessments, notices, agreements, data protection officers, and local representatives for certain organizations—the list of requirements goes on and on. Create a road map to attack as much of this as you can in tandem, and prepare a project plan to keep working on the issues after the deadline. Get your teams trained and build awareness for the additional changes to come.
The deadline is looming large, but you still have time to make a significant dent in the requirements. Your company may be one of the organizations that is not going to be ready for GDPR by May 25, but you can still be in the group that is ready shortly afterwards.
About the Author
For more than 25 years, Linnette Attai has been building organizational cultures of compliance and guiding clients through the complex obligations governing data privacy matters, user safety, and marketing. As the founder of PlayWell, LLC, Linnette advises private and public companies, schools and districts, trade organizations, lawmakers, and policy influencers. She serves as a virtual chief privacy officer and data protection officer to select clients, and speaks nationally on data privacy matters. She is currently a member of the Rutgers Center for Innovation Education Cybersecurity Advisory Board and is the project director for the Consortium of School Networking Privacy Initiative. Linnette is also the author of Student Data Privacy: Building a School Compliance Program.