Last week we discussed what GDPR is in very broad terms. We also discussed what are the general parameters used to determine whether an organization needs to comply with GDPR or not. Just to refresh our memories, these are the criteria used to make such determination:
- If you have any physical presence in the EU (even if it is a small sales and marketing office).
- If you don’t have a physical presence but you offer products or services to EU residents.
- If you don’t offer products or services but you monitor EU residents online behaviour.
You need to comply… now what?
If your company falls under at least one of the categories described above, you need to comply with the requirements imposed by GDPR. This may seem overwhelming, especially when you realize that May 25 is really not that far off.
GDPR encourages a risk-based approach meaning that you need to look at your specific business situation, look at the type of personal data you are collecting and from there, decide how you want to implement safeguards and processes. The key question here is, if the personal data that you are collecting is compromised, will that put the individual’s rights and freedoms in harm’s way?
These are few of the things that you need to keep in mind, mostly not to lose your mind over this:
- What kind of personal data are you collecting? There are different “degrees” of sensitivity when it comes to personal data. You are not facing the same level of risk and thus exposing the individuals you deal with in the same way if you are collecting email address vs collecting ethnic origin, political or religious beliefs or health data.
- Are you transferring data to a country outside of the EU? Is that country deemed adequate by the EU data protection authorities? If not, what safeguards do you have in place to ensure a satisfactory transfer and protection of personal data?
- Is a third-party organization processing personal data on your behalf or are you processing personal data on the behalf of another company? If so, you need to review your current agreements and ensure that they have the appropriate provisions that guarantee the processing of personal data will be performed according to GDPR expectations.
- How transparent are you at explaining to individuals what data you collect from them, how you use it, share it and for how long? Do you require their consent to process their information? If you do, you will need to record when they give you consent and equally as important, if they take that consent away.
- Do you need a Data Protection Officer and if you don’t have a local presence in the EU, have you decided who your EU representative will be? The data protection authorities are looking to establish a relationship with organizations that process EU’s residents personal data and to have someone “on the ground” to respond to requests or questions from the data subjects. Having a structure in place that facilitates these new relationships is a good step to take.
Don’t panic, just put a plan in place and start executing on it
Now that the picture is more clear around what you do and where your gaps may lie, create a prioritized plan of action to work towards compliance. Even though the official position is that everyone that is expected to be compliant has to be compliant on May 25, realistically quite a few companies will not be ready. However, working towards compliance is better than doing nothing at all.
These are my suggestions on what to work on and with what priority:
- Understand your data. Identify and justify the purposes you are collecting it for, how long you are keeping it, where it resides, how sensitive it is.
- Work on your communication to individuals. Review your privacy notice and ensure it includes the information required by GDPR, provide specific information at time of collection, ensure that you get consent where needed (and record it), ensure that if you deal with children you have consent from their parents.
- Review your processes to respond to individual requests. Ensure you are equipped to respond to requests to access, modify, delete, take away or stop processing data. Ensure that your processes are nimble enough that you can satisfy these requests within 30 days.
- Review third-party contracts. Ensure that all the contracts that you have with other organizations that you exchange personal data with enforce GDPR principles. At the end of the day, you are still responsible for your part on the road to GDPR compliance.
- Adopt a data protection by design culture. Ensure that reviews of data protection and privacy requirements happen upfront when developing a new product, service or embarking on a new project or business initiative. Perform data protection impact assessments. Create awareness in your organization around data protection and what individual employees should think of when it comes to safeguarding personal data.
- Develop a clear protocol for incident monitoring, management and response to ensure that your organization is prepared in the case of an incident occurring.
- Identify who your Lead Data Protection Authority will be and start developing a relationship (usually through your DPO if you appoint one or your EU representative). This relationship will last well into the future and it will be an advantage to have this stakeholder as an advocate.
Start the GDPR journey
One key takeaway I want you to walk with is that GDPR is not an event in time. GDPR is an ongoing journey that should not be seeing as a hindrance to business but as a real opportunity to strengthen relationships with customers by showing how much care is placed in the safeguarding of their personal data. Use GDPR as a tool to achieve a mutual benefit with the customers you serve so that your business continues to grow and be as successful as it can be.
If you have any questions around this topic, at Kirke we are more than happy to help. Feel free to contact us and we will do our best to guide you through your journey.
Go back to the series