In the last few weeks, we have been talking about what GDPR is, who needs to be compliant with it and what things to keep in mind if you have to comply. Now we are going to discuss what is the best way to go about prioritizing GDPR requirements for your organization.
It’s all about the risk
First off, let me say that GDPR is not a step-by-step prescription on what to do with regards to the management and protection of personal data. If it were that way, we would all have been compliant long ago! Just tick the boxes on a checklist and voila!
GDPR principles can be implemented in different ways, for different purposes and with different senses of urgency, depending on your business model, what specific personal data you collect and use and how many internal and external parties are accessing or processing this personal data.
Right now the only thing we know for a fact is that GDPR comes into effect on May 25. And something else we know for a fact is that a large number of organizations – within or outside the EU – are not ready to comply with GDPR yet. For now, let’s just state that this is your #1 risk in terms of privacy compliance.
So, let’s be pragmatic about it. There are 3 months left to the deadline, so you have to be choiceful and impactful if you really are committed to compliance – perhaps not 100% at the time of the deadline but as much as you can achieve.
You know your business better than anyone and you know where your risks lie. Therefore, use this knowledge to determine what are the most important aspects of GDPR to focus on immediately, which ones you will look into for the rest of the year and which you don’t need to worry about because they don’t apply to you.
With this in mind, the following section will list out the compliance requirements to implement. I will explain what each of them means and you can decide, for each of them, if they fall in your critical, important or nice-to-have list.
If you need help with this prioritizing exercise, feel free to contact us and we can guide you through.
The compliance requirements
In our framework, we follow ten different areas of compliance to ensure that GDPR is covered.
- Governance. Right off the bat, ensure that someone in your organization will be the single point of contact in regards to data protection matters in general, and GDPR in particular. From here, start looking into building a structure that will facilitate the ongoing compliance of requirements.
- Accountability. Building on the governance concept, ensure that you “walk the talk”. You will need to have someone that both the EU individuals and the EU data protection authorities can contact and make requests of. In some cases it’ll be in the shape of a Data Protection Officer (DPO), in some others it will be a local external EU representative for your company and in different cases, an internal local EU representative. adfa
- Notice. Remember that GDPR is all about transparency? Notice is a tool to achieve that. Tell the public why you need their data, how you will use it, for how long and how they can remain in control of it. If they still want to do business with you (I can assure you that most people do and appreciate the effort), then you are set.
- Consent. In some cases you collect personal data to be able to fulfill a service, or you need it to comply with legal obligations or any other specific legitimate reason. When none of these apply, then you need the consent of the individual. Once you provide transparency in regards to the what, how, why and where of the processing, it is up to them to give you thumbs up. If you have their consent, then you are free to process that data. Just remember, consent is not the one and only way to obtain data, so use its power wisely.
- Data subject rights. EU individuals will have the power to come up to you and make different requests about their data. Make sure that you have the right mechanisms in place to a) receive the request, b) understand the request and c) fulfill the request. You have 30 days from the moment the request is made in order to comply with it. And if it is going to take you longer, you need to be ready to justify why. Process is the key to you being able to fulfill this requirement.
- Data mapping and processing. Related to the one above, if you don’t know what personal data you collect or you don’t know where it is stored, you won’t be able to satisfy individual requests. This is really a “spring cleaning” type of exercise where you get reacquainted with your data, know what you are collecting, whether you are using it or have it “just in case” and where it is. This exercise will help you clean house and get rid of what you don’t need, since this will also help with your risk management.
- Data transfers. Once you map your data, you will know where you are transferring it to and if you are transferring it to a place outside of the EU, you will need to ensure it is properly safeguarded and no one has access to it (that is not authorized to have access). Ensure your processors have the right safeguards and processes to avoid any 3rd party issues down the road.
- Data protection by design. GDPR is looking for companies to keep data protection and privacy management top of mind. Instead of talking about privacy implications a day before go live, have this conversation when a new product, service or initiative is being designed. Don’t retrofit and avoid making costly mistakes. As my handy father-in-law says “measure twice, cut once”.
- 3rd party vendors. In a lot of cases, companies manage personal data not on their own but subcontract vendors to do it on their behalf (the so called “processors”). That doesn’t relieve you of responsibility. It actually makes you more accountable to ensure that you are in close contact with your vendors to ensure appropriate management of personal data. Your agreements needs to be rock solid when it comes to GDPR compliance expectations and you need to make clear that you will keep an active eye on them to ensure follow through.
- Breach notification and management. This is the one that is scary for some because no one wants to be in the position of having a data breach. But do you know what is even more scary? Being in that position and not knowing what to do. GDPR is expecting companies to be fast, swift and efficient when it comes to breach management, especially when the breach may put individuals freedoms and rights at risk. Have a protocol that identifies when an incident takes place, a decision tree that determines if it is a breach and if the breach is putting individuals at risk. Once you know what type of breach it is, your protocol must guide you through the different communication mechanisms at the same time as containment and remediation is happening. You need to have a plan to act fast, decisively and in an appropriate measure according to the level of risk.
What to do now?
Now that I’ve explained the different areas where you need to put effort to in order to be GDPR compliant, determine which ones are the most urgent. In some cases, you have always documented your data flows so you don’t have to worry about data mapping in detail. In some other cases, you have a Privacy Officer and have some privacy practices in place so you can assume that the basics of governance are in place.
As I said, you know your business and you can determine where you can afford to implement later and where you need to do something right away. The key phrase here is you have to do something because GDPR is not going away and doing nothing will not make you less accountable.
Don’t try to boil the ocean, one pot at a time will do. And believe me, your customers and partners will forever appreciate your effort and will reward you by continuing to do business with you.
Go back to the series
Learn more about Kirke’s GDPR consulting services here