Used With Permission from BNA, An Article By: Patty P. Tehrani
Patty P. Tehrani, Esq., is an experienced compliance attorney and has nearly 20 years’ experience in compliance including senior in-house roles at top financial institutions, authoring articles and blogs, and compliance consulting engagements. She has created a series of tools, guides, and reference materials on governance, risk, and compliance functions—including guidance to help check for red flags and GDPR compliance weaknesses before they cause real problems—that can be found with the compliance-focused practical guidance on Bloomberg Law’s Corporate Practice Center.
It’s hard to believe that the May 25th compliance date of the European Union’s (EU) General Data Protection Regulation (GDPR) is right around the corner. That’s right—the GDPR will soon become a reality and is expected to significantly change the way organizations process personal data and respond to data breaches. This far-reaching regulation, adopted in 2016, will apply to organizations both in and outside of the EU and require them to institute new or enhanced data protection practices.
What happens if we ignore the GDPR?
Given the severe consequences of non-compliance, complacency is not an option with the GDPR. There are the judicial remedies, complaints, investigations, orders, and fines stipulated under the regulation; and the fines can be very significant—up to €20 million or 4 percent of annual global turnover, whichever is higher. But being the organization at the center of a data breach failure may also result in reputational harm that can impact market and consumer confidence.
Your organization should be swayed by the severity of the GDPR’s fines and expansive changes to launch, if it hasn’t already, efforts to comply. Here are some recommendations for your organization to consider in planning its efforts as the GDPR compliance date approaches.
How should we start?
Your organization should approach GDPR with a defined plan that is practical and collaborative engaging participants from all key functions. Key steps to help plan your efforts:
Determine the application of the GDPR to your operations (see the summary of key requirements below)
Establish a project team and develop a project plan to coordinate GDPR compliance efforts
Designate a Data Protection Officer to lead GDPR compliance efforts
Inventory your organization’s data processing activities to ascertain priorities
Catalog third-party processors in place as of May 2018 to identify any agreements and processes that will need amending in order to comply with GDPR
Update privacy policies, consents, and privacy notices to factor in GDPR requirements
Deliver periodic GDPR notices and training to raise and reinforce awareness
Amend breach protocols to address timing and notice requirements to Supervisory Authorities and individuals
Integrate GDPR requirements into your audit and monitoring programs to evaluate their effectiveness
Review GDPR controls periodically to assess their continued compliance and viability
With your plan in hand, your organization’s project team can determine the order and priority of the implementation measures in consideration of the GDPR’s key summarized below.
Who is subject to the GDPR?
First, start with whether the GDPR applies to your organization. The GDPR’s Article 3 lays out the application of the regulation, which includes in its scope any organization that processes, holds or somehow controls or monitors the personal data of individuals in the EU, regardless of location or where the processing takes place. Consider the following questions to help make this determination:
Are you established in the EU—that is, do you have a physical presence in the EU?
Do you offer goods or services to individuals in the EU?
Do you monitor the behavior of individuals in the EU?
If you can answer “No” to these questions, the GDPR most likely does not apply to your organization. However, if you answer “Yes” to any of these questions (even with qualifications), welcome to the world of the GDPR. But don’t end your inquiry here and make sure you consult your legal counsel, compliance, and privacy experts to confirm your assessment and the GDPR’s application to your organization. ( Note: Certain exceptions may apply, e.g., if your organization has fewer than 250 employees .)
What do we need to do?
It’s impossible to go through the GDPR in its entirety (99 Articles and lots of supporting recitals) here but let me highlight some key requirements.
Personal data (GDPR Article 4)—protect the processing of personal data, which the regulation defines as any information related to a natural person that can be used to directly or indirectly identify that person.
Your organization should know the types of personal data it has—that is, processes, stores, manages, and transfers. If any of the data fit the regulation’s special category of personal data, its processing may be prohibited unless an exemption applies.
Lawful basis (GDPR Article 6)—have a valid lawful basis to process personal data.
Your organization should confirm the appropriate basis for processing:
Processor or Controller (GDPR Articles 4, 24,28)—determine the role your organization plays in processing personal data.
A controller determines the purposes (why) of processing, conditions, and means (how) of the processing of personal data, while the processor processes personal data on behalf of the controller.
Accountability—document compliance with the GDPR’s six principles for processing of personal data:
- Lawful, Fair and Transparent Processing
- Purpose Limitation
- Data Minimization
- Data Accuracy
- Storage Limitation
- Integrity and Confidentiality
Your organization should implement technical and organizational measures that not only ensure compliance but also can demonstrate the measures in place:
Document your organization’s GDPR controls and maintain them periodically for effectiveness
Consider updating the existing privacy program or implementing and maintaining comprehensive framework consisting of measures that promote a data protection culture. These include policies, procedures, assessments, awareness, systematic safeguards, clear roles and responsibilities, and periodic audits and reporting to measure the effectiveness of controls.
Awareness—raise awareness of the GDPR through periodic and specialized training and notices.
Your organization should: 1) incorporate GDPR-related notices into its annual training plan; and 2) deliver these on a periodic basis to raise and maintain awareness.
Records of processing activities (GDPR Article 30)—inventory your organization’s data processing activities.
Your organization should audit its processing activities to document what, where, why and how these records are stored, who has access to them, and what happens to them. The mapping exercise should not be a one-time undertaking and rather scheduled for periodic reviews to maintain the information.
Data Protection Officers (GDPR Articles 37–39)—appoint a Data Protection Officer (DPO) to oversee your organization’s implementation and maintenance of GDPR requirements.
Your organization should determine if it is required to have a DPO based on its processing activities.
If your organization is required or chooses to have a DPO, make sure they have expertise in the GDPR and relevant data protection laws and practices, as well as knowledge of your organization’s operations.
An existing employee may be designated as DPO or one may be hired externally, in either case, they should report to senior management and not undertake any other responsibilities that would conflict with their DPO duties.
Consent (GDPR Articles 7–8)—obtain valid consent for the processing of personal data.
Your organization should update its consent procedures to meet the GDPR’s valid consent requirements:
Freely given, with no conditions
Specific to processing
Informed by providing individuals with certain minimum information and in plain language
Provided by an affirmative action
Documented (keep records) to demonstrate consent
If your processing the data of children, make sure your process entails parental consent
Make sure the right to withdraw consent is available at any time, and can be done easily
If your organization has already obtained consents, don’t assume these consents are valid under GDPR and review them anew to determine any need for refreshed consent.
Privacy Notices (GDPR Articles 12–14)—provide individuals with information about the collection and use of their personal data.
Your organization should check to see if its privacy notices, any publicly available privacy policies, and related communications are:
Clear about the who-what-when-how-why personal data will be processed
Concise, transparent, intelligible and easily accessible
Written in clear and plain language, particularly if addressed to a child
Free of charge (some limited exceptions may apply)
Rights (GDPR Articles 15–21)—provide individuals several rights relating to the processing and storage of their personal data; your organization should review its procedures and equip its systems/applications to be able to accommodate these rights:
The right to access the personal data held about them.
The right to request that data about them is erased.
The right to object to their data being processed.
The right to request that data be transferred to another service provider.
The right to withdraw consent at any time.
The right to lodge a complaint with a supervisory authority.
Privacy by Design (GDPR Article 25)—integrate privacy risks from the onset of designing systems, rather than as an afterthought.
Your organization should institute measures that integrate data protection into the design of data processing systems to facilitate:
the security of processing
detection and notification of breaches o logging and monitoring of operations
comprehensive documentation of the risks
the measures taken to mitigate them
limiting access to personal data to just those involved with processing
Security (GDPR Article 32)—equip systems with confidentiality, integrity, availability and resilience controls.
Your organization should design or update its systems involved in processing and storing personal data to be available and secure, as well as regularly tested.
Data Breaches (GDPR Articles 33–34)—update your organization’s processes to manage data breaches to cover notice and timing requirements of the GDPR.
Your organization should have procedures that factor in the timing and content of data breach notices to supervisory authorities and individuals, as well as any measures to address and remediate breaches.
Data Protection Impact Assessment (GDPR Article 35)—document a risk-based assessment for high-risk processing.
Your organization should conduct assessments as a pre-emptive approach (should happen before you start processing) to assess privacy risks and apply corrective actions and mitigating controls before a breach occurs.
Third Parties (GDPR Article 28)—screen your third parties, keep records, be clear who is doing what, have agreements, and monitor the agreements; review and update third-party engagements.
Determine arrangements in place by May 2018 to flag those that must be compliant with the GDPR
Identify and address any special issues
Data transfers outside of the EU
Consents or privacy notice processing
Identify any sub-processors and areas to remediate
Revise and amend agreements
Update third-party governance policies and procedures
Deliver training as necessary
Transfers (GDPR Chapter 5)—ensure the appropriate movement of the data transferred outside of the EU.
Your organization should transfer personal data to recipients outside the EU only if:
the recipient’s jurisdiction provides an adequate level of data protection;
the data exporter puts in place appropriate safeguards; or
a derogation or exemption applies.
Consider how your organization transfers data to determine where you need to make changes by:
reviewing existing and planned business operations;
identifying all transfers of personal data to recipients outside the EU; and
ensuring that, for each such transfer, the organization has in place a data transfer mechanism that complies with the requirements of the GDPR.
The GDPR at first glance may appear daunting but read in a positive light may help your organization. First, it can help your organization confirm existing good practices in protecting personal data especially in this age of increasing frequency and sophistication of data breaches. Additionally, it may help from a marketing perspective when so many large organizations are facing consumer ire for failing to secure their data adequately. Greater transparency about data protection and more control over the processing of their personal data by consumers may not only advance these relationships but possibly result in new ones.
Finally, your goal should not be to meet all the regulation’s requirements by its compliance date but rather a measured approach and clear commitment to ongoing compliance with data protection requirements.
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved