With less than a month to go before the EU’s GDPR takes effect, many companies are still scrambling to get their data protection policies up to speed. Are you ready? Get an overview of what you should have in place and what to do if you don’t.
As GDPR looms on the horizon, the stakes are high and the learning curve steep. Fines for non-compliance are strict and prohibitive – companies can be fined up to four percent of their annual global turnover or up to €20 million for breaching the GDPR.
And the scope is broad. Most companies will have to comply as the EU’s GDPR covers all EU companies and foreign companies targeting people in the EU. It’s interesting to note that most versions of GDPR refer to “data subjects who are in the Union”. This means that even a non-EU resident on holiday in the EU would, technically, also be covered by the EU’s GDPR. The exception is Spain’s GDPR, which refers to residentes rather than data subjects.
With that in mind and just a few days remaining, let’s look at which steps companies should have taken to prepare for GDPR.
Step 1: Conduct a Privacy Impact Assessment
Conducting a Privacy Impact Assessment (PIA) is the first step you would have taken to prepare for GDPR. According to the Information Commissioner’s Office, a PIA should incorporate the following measures:
- Identify the need for a PIA
- Describe the information flows
- Identify the privacy and related risks
- Identify and evaluate the privacy solutions
- Sign off and record the PIA outcomes
- Integrate the outcomes into the project plan
- Consult with internal and external stakeholders as needed throughout the process.
Step 2: Hire a Data Protection Officer
The second step to have taken is hiring a Data Protection Officer (DPO) who is responsible for supporting the data subjects’ rights and driving the privacy program forward inside your organization. The position can be contracted out as the DPO doesn’t need to be a permanent member of staff. However, the DPO must have the budget, seniority and authority to drive the privacy program forward.
Step 3: Raise awareness and invest in training
GDPR doesn’t end on the 26th of May. You will have to continuously ensure that your company does not infringe users’ privacy rights and is in continuous compliance with the GDPR. For that reason, it’s important that your staff – especially those dealing with data protection – are well informed of the GDPR.
Your company should invest in raising awareness and training your staff either via specific seminars, online courses, eLearning, and podcasts, etc. Crucially, training should incorporate both an overview for all staff and role-specific deep dives for members of staff regularly dealing with Personally Identifiable Information (PII).
Step 4: Establish consent and user rights
In order for your company to process data, you need to have a legal basis to do so. Article 6 of the GDPR lists six cases where processing data is lawful. Two of the most common cases are consent and legitimate interest.
If you go down the consent route, you need to explicitly obtain consent (i.e. the subject cannot give you consent without actively performing an action like ticking a box). Although consent may seem like the easiest case, it’s actually the most complex when it comes to subject requests. Keep in mind that consent is most likely not the ideal solution for dealing with clients with whom you already have an existing contract.
Step 5: Set up procedures for subject requests
By now your organization should understand and respect your users’ privacy rights regarding subject requests. Under the GDPR, users are entitled to a list of rights when they have consented to their data being processed, such as: the right to erasure, which ensures the subject’s right to request that the data controller delete their information; the right to data portability; subject access requests, etc.
In the case of access requests for example, users have the right to know precisely what elements of their data you are processing. This means that you’ll be obligated to provide the following information and most importantly, you’ll be required to do so within a time limit of 30 days:
- a description of the personal data
- the reasons for processing it
- whether it will be transferred to a third party
- a copy of the information comprising the data.
Interestingly, GDPR doesn’t specify that these requests need to come in through a specific channel as required by some previous legislation. You should, therefore, have already tested this process through electronic, written and verbal means (e.g. email, letter to the front desk and phone call).
Step 6: Set up Data Processing Agreements
As a private company, you most likely transfer data across jurisdictions and to other companies such as a cloud storage company or infrastructure support partner. If you wish to continue doing so, it’s important that your partner companies meet the required data protection criteria to ensure that they protect your customers’ data.
One way to do this is to sign a Data Processing Agreement with all of your partner companies, which ensures that the partner company will comply with the GDPR thereby protecting your customers’ data. If you are transferring data outside the EU, you’ll have to establish a legitimate cross-border transfer procedure.
Step 7: Prepare for data breaches
By now, you have suitable safeguards in place, to protect your employees’ and customers’ data from potential cyberattack. In addition to the safeguards, you’ll have a plan in place to handle a data breach.
Preparing for a breach is important. In the case of certain data breaches, you may need to inform your National Data Protection Agency, your Data Protection Officer and also the customer(s) whose data has been attacked. There are some fairly stringent timelines for this – so, by now, you’ll have a plan and tested the breach response plan with your PR, Legal, IT and Security teams.
In the race to prepare for GDPR as of 25 May, it’s easy to forget that compliance will be a continuous process going forward. GDPR is here to stay. If, like many companies, you are still working towards the minimum baseline to comply by 25 May – don’t despair. Gartner believes that less than 50% of all organizations impacted will fully comply by the 25th of May.
You can start by ensuring that you have a roadmap to achieve compliance that is both attainable and reasonable from a data-subject rights perspective. Also, remember that any new projects should include Privacy by Design and Default.
On that note – I would be keen to know what people think. Many people I’ve spoken to feel that the first fines will be the harshest possible to make a point, while others feel that the first few will be a less harsh than the future ones… What do you think?
Our services and further information:
- Check your organization’s Data Protection status: Data Privacy Health Check
- Factsheet: Towards effective Data Protection
- CIO Advisory Services at KPMG