This is the fifth post in our series to help businesses prepare for the EU General Data Protection Regulation (GDPR). To learn more, see our previous posts, “What GDPR Means for B2B Marketers,” “Does My Company Need a DPO for GDPR Compliance?” “GDPR and Data Security: What You Need to Know,” and “What the GDPR’s ‘Right to Be Forgotten’ Really Means.”
In just a few weeks, the European Union will enforce the GDPR, ushering in a new era in personal data processing for companies around the world. If your company processes the personal data of EU residents, you will need to be compliant as of May 25, 2018, or face the risk of serious penalties.
Failing to comply with GDPR could incur fines of up to 20 million euros (about $24 million) or 4 percent of global revenues, whichever is greater. Besides keeping you out of trouble with the EU, compliance will also be an important consideration for business clients and partners who also must comply with the regulation.
With less than a month to go before the deadline, it’s time to review your compliance efforts so far and ensure that you tie up any loose ends before May 25. We’ve put together a list of areas to review with an eye to GDPR requirements; of course, no two companies are alike, so consult your legal counsel and your compliance team for advice specific to your company’s situation.
1. Document Your Data Inventory and Workflows
Remember what the “D” in GDPR stands for — data. To comply with the regulation’s requirements, you need to know what personal data you have, how you collect it, what you do with it, where you store it, how you protect it, and which third parties handle it.
To prevent any compliance issues from falling through the cracks, a thorough data inventory and documentation of data workflows — including those that involve third parties — is essential. Once these are complete, it’s easier to identify areas covered by the GDPR and to conduct a gap analysis between your current state and where you need to be on May 25. Review your contracts with third parties who handle personal data for you and ensure that they also comply with applicable GDPR requirements.
2. Appoint Your Data Protection Officer if Needed
Article 37 of the GDPR establishes which companies must appoint a data protection officers (DPOs): organizations that (a) are public authorities, (b) engage in “regular and systematic monitoring of data subjects on a large scale,” or (c) process “special categories” of personal data such as criminal records. (If you have specific questions about whether your organization needs a DPO, consult your legal counsel.)
The DPO’s job is to monitor GDPR compliance, which requires expertise in several areas. If your company requires a DPO and you have not yet filled the position, make sure the appointment is in place by May 25. (For more information, see “Does My Company Need a DPO for GDPR Compliance?”)
3. Ensure Data Security Measures Are in Place
Besides giving data subjects greater control over their personal data, the GDPR also aims to ensure that firms handle that data responsibly and securely. Article 32 of the regulation states that covered organizations “shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
The article calls out specific measures such as encryption, ensuring ongoing availability, and regular testing, and Article 25 adds the requirement for “data protection by design and by default.” To prepare for the May 25 deadline, make sure the appropriate data security measures are in place; if not all measures will be complete by the deadline, make sure you have documentation that shows you are working on them if needed. (For more information, see “GDPR and Data Security: What You Need to Know.”)
4. Review Your Consent Process
When the GDPR goes into effect, companies can no longer get away with long, confusing consent forms or default opt-ins. Article 4 defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” In November 2017, the Article 29 Data Protection Working Party (the EU’s advisory body on data protection issues) published specific guidelines on complying with this requirement.
Make sure you have reviewed all consent forms to ensure they comply with GDPR requirements. Remember, your request for consent must be “presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language,” and consent must be explicit.
5. Put GDPR-Required Processes in Place
In giving data subjects greater control over their personal data, the GDPR mandates several processes that may be new to some organizations. These include, but are not limited to:
– Processing requests for erasure (“right to be forgotten”)
– Responding to requests for access and correction of personal data
– Notification of data breaches within 72 hours
Review your policies and procedures to ensure that you can respond to these requirements in a timely manner. If, for example, a data subject requests erasure of all her personal data, a prompt response requires (1) knowing where you store her data, (2) having processes for erasing covered data in a compliant manner, and (3) notifying her that you have processed her request. Having these procedures in place will help ensure that you can respond to GDPR-related requests or inquiries thoroughly and promptly.
6. Train Your Teams
Complying with the GDPR involves a wide range of activities involving many areas of the organization — from IT to marketing to shipping to customer service to sales. Make sure that every team member who handles personal data understands what the GDPR is, how it affects your organization, and the role they play in your compliance efforts.
How True Influence Is Preparing
At True Influence, we’re in full compliance with applicable domestic data protection regulations, and we’re committed to complying with GDPR across all services by the time the regulation takes effect on May 25, 2018. We have a dedicated internal team made up of cross-functional stakeholders who are overseeing every aspect of our GDPR readiness. To learn more, view our GDPR Statement.
The checklist above represents a few key areas of GDPR to address before the May 25 deadline, but of course it is not comprehensive. Make sure you have a solid understanding of how the regulation impacts your organization and which gaps you need to fill.
It’s also important to recognize that compliance is not a once-and-done undertaking. As the technology environment continues to evolve, expect to see new requirements and clarifications emerging from the EU to ensure ongoing protection. You’ll also want to revisit your personal data processing practices regularly to ensure that you continue to meet your obligations and attract clients who are looking to partner with GDPR-compliant organizations.