General Data Protection Regulation: A Checklist to Compliance
The General Data Protection Regulation (GDPR) is perhaps the most sweeping data privacy law in history. Within its nearly 100 articles, it outlines new requirements for organizations that have access to the personal information of European Union (EU) citizens, giving average consumers far more power over how their data is used.
Failure to comply will mean heavy fines of approximately $24 million (€20 million), or 4% of a company’s global annual revenue — whichever is greater.
Despite the passing of this regulation in 2016, many businesses still don’t consider it a priority. This is particularly true of U.S.-based organizations, some of which don’t even realize they’re required to comply.
With the compliance deadline (May 25, 2018) fast approaching, it’s a good time to assess if your organization is on track. Evaluate your progress against this checklist of steps to compliance, and take action in the areas you’re lacking.
Assemble your implementation team.
The GDPR could potentially result in heavy fines — don’t treat it lightly. In fact, the compliance process should be a high priority for everyone, from leadership down. “This is a big deal,” says Bret Wingert, vice president of operations at Insight. “Treat it as [you would] any other big project.”
If you haven’t done so already, assemble a team of people from across your organization, including those from other regions. Be sure to get management involved. They’ll need to ensure this team has the necessary resources to bring the company into compliance. They’ll also be instrumental in determining if it makes sense to bring on a Data Protection Officer (DPO).
Though it’s possible your organization won’t be required to designate a DPO, it may be helpful to have one. This role will be responsible for monitoring compliance, advising employees and communicating with the supervisory authority.
Include legal representation. When it comes to compliance, the need for legal counsel can’t be overstated. Your internal legal department is a good place to start. In addition, some firms (mostly in the EU) now specialize in the GDPR. These highly knowledable law teams can give your organization an idea of where to start, help prioritize tasks and keep you on track as your compliance journey progresses.
Locate your data.
The GDPR is all about personal data protection. If you don’t know what data you have, where it is or how to access it, compliance will be difficult. Remember, under the GDPR, the people whose data you’ve collected are able to request that it be changed, handed over to them or even permanentely deleted. It’s plausible that, after May 25, numerous such requests will be submitted to your organization.
In light of that, you need to know what personal data you’ve collected, what it’s being used for and where it’s kept. “Understand your data, understand the GDPR and see how they intersect,” advises Lisanne Steinheister, global compliance officer at Insight.
You’ll also need to be prepared for a data breach. These have become commonplace in recent years, but many companies still don’t have a clear procedure for reporting them. Under the GDPR, breaches need to be reported “without undue delay” — in some cases, in as little as 72 hours.
To meet such tight deadlines, your organization needs to have a detailed plan in place. This plan should spell out whom within the organization to alert when a breach is discovered and who will notify the proper authorities, as well as how you’ll inform data subjects their personal information has been compromised (if such a disclosure is necessary).
Invest wisely in technology.
Since the GDPR was passed in 2016, many companies have been developing hardware and software to help businesses achieve compliance. Although certain areas of this process would be easier with a valuable tool, it’s important to be cautious about acquiring this type of technology. Any piece of hardware or software will be an investment of time and money — you need to make sure it’s what you actually need.
“It’s not to say tools don’t help,” says Wingert. “But it’s really figuring out which ones [do] and how they fit into your overall scheme.”
Provide companywide training.
Every person in your organization, from the chief executive officer to the receptionist, will need to be aware of the changes brought on by the GDPR data privacy law. Personal data has been collected so casually and frequently in the past that this regulation could mean big changes in the day-to-day work of your employees. It’s vital they understand what is regulated under this new law. Your project team may bring the company into compliance, but it will be every employee’s job to make sure it stays that way.
Insight disclaims this as a full review on EU data privacy nor is it intended to be legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand some important legal points. You should not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding. Insight suggests you consult an attorney if you’d like advice on your interpretation of this information or its accuracy or its applicability to your business.