Skip to Main Content
Main Menu
Articles

Your Path to Ultimate GDPR Compliance

Practical Steps to Address GDPR Compliance

There’s plenty of information available summarizing all of the new requirements under the GDPR. But once you see the long and dizzying list of new requirements, it’s easy to get overwhelmed. Fear not. You can tackle it one step at a time.

Many items will likely take your organization considerable time to implement, so it’s wise to start the process asap. For organizations that operate globally, complying with the EU GDPR will likely require significant investment in personnel, process change, and new tools.

The GDPR compliance program you build will enhance your overall privacy program and further your efforts to minimize risk, ensure compliance, build trust, and protect your brand.

Step One: Assess Your General Data Protection Regulation (GDPR) Readiness

The very first thing to do is assess. Are you impacted? Where do you stand?

Is Your Organization Impacted?

You may be thinking, I don’t need to worry about GDPR compliance because it doesn’t impact my organization. We don’t have offices or do business in the EU.

But the GDPR includes a significant increase in scope over prior EU data protection law that makes it “extra-territorial” or beyond just being located or doing business in the EU.

This means you need to take a closer look. Specifically, you should ask three threshold questions for GDPR Readiness:

  • Do you “offer goods or services to EU residents”?
  • Do you “monitor the behavior of EU residents”?
  • Are you a “Data Processor” (one who processes the data on behalf of the Data Controller) of EU resident “personal data” (any information relating to an identified or identifiable natural person (“data subject”)?

If you answered “yes” to any of the above, the business is impacted and needs to start taking steps toward GDPR compliance.

Some things to keep in mind:

  • The GDPR protects the personal data of EU residents, which includes anyone physically residing in the EU, even if they are not EU citizens.
  • By including the scope of the GDPR to include “monitoring the behavior of EU residents,” this makes the applicability net as wide as it can get.
    • Practically every website and app tracks the digital activities of its visitors.
    • Even though you may not be actively targeting and monitoring EU residents, if you have a website or app that tracks who visits and an EU resident happens to find their way to your digital property from within the EU, you’re impacted.
    • Monitoring of behavior can be applied more broadly and include profiling that leads to actions that analyze or predict personal preferences, attitudes and/or behaviors.
    • Thus, the GDPR impacts targeted behavioral advertising and other data analytics.
  • The GDPR now extends due diligence obligations and potential liability to Data Processors, not just Data Controllers.
    • This has major impacts on cloud companies that process data on behalf of others, especially as the definition of “personal data” is now broadened and includes info like IP addresses, cookie strings, and mobile device IDs.

Where do You Stand?

Now that you know the organization is impacted, you need a way to self-diagnose. Before you can develop a plan, you need a high level understanding of your current GDPR compliance posture.

You could leverage a controls checklist, build one yourself, or take advantage of a free easy-to-use online GDPR readiness assessment tool.

Whatever self-diagnosis path you choose, you must ensure it includes a fairly comprehensive list of the requirements so you have confidence that your assessment is thorough.

This initial GDPR assessment should guide you through GDPR operational requirements under the following areas, with particular emphasis on what’s new:

  • Transparency (i.e., Privacy Policy).  This centers on the language in your Privacy Policy. It needs to be in “clear and plain language,” i.e., easily understood by users and not buried under a morass of legalese.
    • A whole host of new language must also be included, e.g., the rights of data subjects and contact details of a Controller’s representative or DPO (Data Protection Officer), among others.
  • Collection and Purpose Limitation. An assessment should check on whether the info collected is necessary and relevant, with particular scrutiny around information that is sensitive, involves criminal convictions or offenses, or is collection from children under the age of 16.
  • Consent. The consent requirements under the EU Cookie Directive still apply regarding internet cookies and similar tracking technology.
    • In addition, there are consent requirements prior to Data Processing, including details for when you need explicit and informed consent, or when you must provide user controls for preferences and withdrawal of consent.
  • Data Quality. This centers on steps taken to ensure the accuracy of data and processes for deleting or correcting it.
  • Privacy Program Management. This is a major area requiring a multitude of operational changes.
    • E.g., documentation of your legal basis for Cross-Border Data Transfers, PIA Programs for new products or “high risk” processing, processing activities requiring the designation of a DPO, and due diligence obligations and contracts for Onward Transfers, to name a few.
  • Security in the Context of Privacy. This includes requirements on the use of industry-standard encryption technologies for sensitive data, systematic destruction, erasure or anonymization of data, and documentation on security programs.
  • Data Breach Readiness and Response. A documented privacy and security Incident Response Plan is essential, particularly because there are significant new data breach notification requirements (e.g., controllers must notify the supervisory authority within 72 hours).
  • Individual Rights & Remedies. The GDPR expands individual control with new rights, e.g., the “Right to be Forgotten” (data erasure), “Right to Data Portability” (to transmit data to any other controller), enhanced rights around processing (notice, access, rectification, objection) and filing complaints.

Step Two: Build Consensus

The most common next question is, What do I need to do to secure stakeholder commitment and resources for execution?

Building consensus up-front is critical to the success of any privacy program within an organization and is not specific to GDPR compliance. Fundamental leadership principles and organizational decision-making come into play.

Because the GDPR has such a substantial impact on organizations – increased obligations, a regulatory enforcement regime, and potential fines of up to 4% of annual worldwide turnover (or revenue) – a GDPR program merits its own organizational awareness campaign.

In fact, “Awareness” is at the top of the list on the UK ICO’s (“Information Commissioner’s Office”) recently released guidancePreparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now.

ICO’s guidance states, “You should make sure that decision makers and key people in your organization are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.”

The guidance goes on to recommend that companies “use the first part of the GDPR’s two-year lead-in period to raise awareness of the changes that are coming.”

To do so, you’ll need to:

  • marshal the evidence to support a compelling business case; and
  • plan and execute your GDPR awareness campaign to secure stakeholder buy-in.

What Evidence Do I Need to Tell the Story and Support a Compelling Business Case for GDPR Compliance?

As the data privacy champion, you will have to tap your inherent mastery of the art of persuasion.

This means gathering as much ammunition as you need to generate a sense of urgency and persuade key stakeholders that the GDPR warrants a strong compliance program.

Below are several key messages critical to telling a compelling GDPR compliance story, along with a list of helpful evidence to support each proposition.

The GDPR Impacts the Company…Posing Threats and Opportunities

  • An overview of the GDPR and what specific activity makes the company subject to the new regulation
  • Key organizational risks, fines & penalties, regulatory trends, and likely enforcement landscape
  • Specific stories of privacy regulation violations and what that meant to the company and to the data subject who experienced the violation
  • Reports illustrating consumer sentiment and impact on the business when a brand is damaged via privacy violations
  • Benchmark reports and infographics to illustrate the GDPR risk and show that other companies are taking action in response
  • Stories of companies that used their strong privacy posture as a competitive advantage

The Company Has Compliance Gaps That Require Remediation

  • The results of the initial GDPR Readiness Assessment provide a Corporate Scorecard of where the company currently stands, with specifically identified gaps and risks
  • Any internal metrics/reports providing privacy breach incidents in the organization, any past regulatory inquiries or enforcement against the organization, history of the organization’s privacy training

The GDPR Program Proposed and the Level of Effort Required

  • Overview of the activities typically required to build a GDPR Response Program, including best practices and benchmark information from other companies
  • Summary of what it would take to close the gaps, including a rough time and cost analysis of the level of effort (LOE) to make operational changes, including training, monitoring, measuring, process for privacy impact assessments and product development, contract reviews, privacy policy reviews, etc.
  • Proposed overview of how the GDPR program would operate, a rough timeline, methodology, and success metrics by which to measure progress

How Do I Plan and Execute an Effective GDPR Awareness Campaign?

Facilitate an internal kickoff and ongoing planning sessions with relevant stakeholders across the organization.

This initiative will be easier if you have a designated privacy task force. If a committee is not in place, you’ll need to start identifying and reaching out to stakeholders and key influencers.

Include senior leadership and, if possible, the CEO and Board Members.

In addition, identify and invite colleagues with influence across functional areas from lines of business, legal, IT, InfoSec, HR, product development, engineering, marketing, and others.

Build and deliver a strong presentation leveraging the evidence gathered to tell the story. To be effective, this takes considerable preparation.

Rather than go in with a dry recitation of the policy and regulatory requirements, experienced privacy practitioners recommend planning interactive and engaging sessions that may possibly even be considered a fun team-building exercise.

Running your presentation by a subset of the group ahead of time to get feedback and tweak accordingly will help get stakeholders on your side before going into the kick-off meeting.

At the outset, it will be important to state the following goals of the kick-off session clearly:

  • Formalize GDPR compliance program team structure, roles, and responsibilities
  • Secure commitment that the GDPR program is a prioritized pillar and initiative aligned to the overall organization planning for the next couple of years
  • Agree on short, medium, and long-term goals of the GDPR program
  • Set measurable objectives with success criteria, key milestones
  • Based on a rough estimate of the level of effort (LOE), secure budget, and resources

Schedule ongoing planning meetings with a regular cadence to then develop the full plan, implement all required operational changes, and provide a dashboard report on the GDPR program’s progress.

Step Three: Develop a Plan

Now that the readiness assessment is complete, it is time to conduct a detailed gap analysis and build a plan to address any issues. The items should be prioritized based on risk and level of effort.

For example, creating a privacy audit program would have both a high risk level and a high level of effort. Building a privacy notice format would have a low risk level and a low level of effort.

Several things must happen at this stage to develop an effective plan, including:

  • Conducting a risk analysis
  • Conducting a level of effort (LOE) analysis
  • Creating a project plan

By investing the time up front to perform the proper analysis and planning, you can be confident that your GDPR compliance program will efficiently and effectively mitigate risk while meeting your company’s business objectives.

Conduct Risk Analysis

Under Section 3, Article 35 of the GDPR, a Data Protection Impact Assessment is required for any processing that may result in “high risk”.

“The supervisory authority shall establish and make public a list of the types of processing operations that require a DPIA.”

While official public lists from the Data Protection Authorities (“DPAs”) are forthcoming, the following are common questions to begin to identify areas of risk, including “high risk”.

These particularly reflect the more stringent GDPR requirements.

  • Security / Data Protection. Are the necessary data protection controls in place, e.g., encryption, data loss prevention, enhanced access control, and anonymization?
  • Sensitive Data, Genetic and Biometric Data. Are there stronger security protections in place for this data? Are there business processes around sensitive data that violate the stated use in the privacy policy? Are processes for gaining explicit consent in place (as required under the GDPR)?
  • International Data Transfers.  Are all transfers protected according to the appropriate data transfer mechanism in place (i.e., under Model Contract Clauses, Binding Corporate Rules, EU-US Privacy Shield if ratified, Consent, or other)?
  • New Products / Processes. Do new plans require a change in the way you collect, transfer, store, process, use, and dispose of personal data? Are there newer ways of using geo-location or online unique identifiers that trigger a discrepancy with what is stated in the privacy policy?
  • Vendor Management. How do the vendors in your data flow manage the personal data? What stated data privacy and security policies and controls are in place? Can they be verified?
  • Mergers & Acquisitions. What data privacy and security processes are in place at the merged or acquired company? Is there a discrepancy between the processes at your organization?
  • Large Scale Processing:  Are there any profiling processes in place? Is there systematic monitoring of publicly accessible areas or special categories (i.e., genetic, biometric data, criminal records)?
  • Conversions & System Changes. Have or will there be a conversion of records from paper-based to electronic form? Or conversion of info from anonymous to identifiable form?  Have or will there be system management changes with new uses or applications of technology?
  • Database Changes. Have or will there be merging, matching, and manipulation of multiple databases with personal data (e.g., between subsidiaries or in M&A context)? Or incorporation into existing databases of personal data obtained from commercial or public sources?

With gaps identified in step one and from a deeper dive risk analysis, you can build a table of gaps organized by risk level – Low, Medium, and High.

Assessing levels of risk will be highly dependent on the priorities that your organization attributes to certain components. A strong understanding of the current legal and regulatory environment is also essential to proper risk level determination.

Common risk categories to keep in mind when assigning risk levels are legal, regulatory, political, operational, strategic, market, credit, reputational, event, and country-specific risks.

You can build your own templates for this analysis or leverage those available in data privacy management platforms like the Assessment Manager, with built-in workflows to guide you through the process.

Conduct Level of Effort (LOE) Analysis

For each gap, you’ll need to identify specific remediation actions and estimate Levels of Effort (LOEs) – Low, Medium, and High.

By mapping the Risk Levels to the LOEs of each activity, you can start grouping activities in a Risk / LOE matrix to help visualize your plan’s priorities.

Once your Gap Assessment and Risk Analysis are complete, you can build a project plan for each functional area within the business, along with a timeline for completion.

Whatever your team decides, the GDPR project plan also needs to account for the unexpected.

Invest time up front to perform the proper analysis and planning so that you can be confident your company’s GDPR compliance program will efficiently and effectively mitigate risk while meeting business objectives.

Build the Project Plan

Armed with the gap, risk, and LOE analysis results, you can then build a project plan against a timeline for completion.  The plan should take into account:

  • The privacy team’s stated goals – short, mid, and long-term
  • Budget and people resources available
  • Prioritization for work on “high risk” areas
  • Sufficient period for activities with higher LOEs and longer implementation times
  • GDPR developments and likely enforcement milestones
  • Ability to leverage other frameworks such as the EU-US Privacy Shield (once ratified) as a way to meet EU data transfer requirements and cover a large percentage of the GDPR requirements at the same time

A GDPR Project Plan will be highly-specific to each organization. One idea is to use a targeted schedule in Gantt chart format. Once the prioritized plan is in place, you’ll be in a solid position.

Step Four: Uncover Risk by Conducting a Comprehensive Data Mapping Analysis

To ensure you have uncovered all the risks and appropriately prioritized your plan, you must have a solid understanding of your organization’s complete data lifecycle.

The process of documenting this lifecycle is referred to as a data flow analysis or data mapping.

Data mapping will require that you talk to your teammates who know where data is at each of these stages across the enterprise and with third parties:

  • collection
  • storage
  • usage
  • transfer
  • processing
  • disposal

Article 29 Working Party Guidance

The EU GDPR went into effect in May 2018. For many organizations, the changes required to become compliant with the new law will take several quarters to implement.

Some of the larger changes required will deal with the new “Right to Data Portability,” Identifying a lead supervisory authority, and appointing a “Data Protection Officer.”

The Article 29 Working Party (WP29) has just released guidance on these three requirements.

1) Right to Data Portability

Article 20 provides data subjects with the right to data portability. The WP29 opinion on this Article helps data controllers understand what their obligations are and provides best practices and tools to help meet compliance obligations for this requirement.

2) Identifying Lead Supervisory Authority

Suppose your organization conducts cross-border data processing or is unsure whether it does. In that case, this guidance provides examples, key concepts for identifying a key supervisory authority, and even questions to guide the identification of the lead supervisory authority.

3) Data Protection Officer

WP29 helped clarify some terms used in Article 37(1), which lists the situations where a DPO would be required:

a) where the processing is carried out by a public authority or body

WP29 guides that “such a notion is to be determined under national law.”

b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale

WP29 clarified that “core activities” means “key operations necessary to achieve the controller’s or processor’s goals” or in other words “an inextricable part of the controller’s or processor’s activity.”

c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.

While clarification on what “large scale” means is summarized below, WP29 also gave guidance on the meaning of “Regular and Systematic Monitoring” as well as the expertise and skills that a DPO should possess.

These factors should be considered when determining whether the “large scale” threshold is met:

  • Number of data subjects concerned – either as a specific number or as a proportion of the relevant population
  • The volume of data and/or the range of different data items being processed
  • Duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity
Key Topics

Get the latest resources sent to your inbox

Subscribe
Back to Top