One of the biggest hot-button topics for consumers, businesses, and governments worldwide is data privacy and security. And the discussion has gotten that much more heated as high profile cases continue to hit the news. But things are set to get a lot more interesting with the introduction of the European Unions new General Data Protection Regulation (GDPR), which has just recently taken effect.
One of the most comprehensive data privacy and security regulations implemented to date, the GDPR was developed over the course of four years and is designed to better protect consumers and their personally identifiable information (PII). More specifically, GDPR covers any and all individuals within the European Union via a comprehensive set of privacy and security regulations which any company doing business in the EU or with EU residents must comply with.
The goal is to provide EU citizens and residents greater control over PII that gets used by social media platforms, financial institutions, and any other organization that collects information from users. Among many other ramifications, people will now have the right to request a full record of how their personal data has been used by any company and will have to be notified within 72 hours if there’s been a cyber breach or incident that could even potentially affect their PII.
Therefore, EU GDPR compliance is set to affect any company, business, or organization that has operations in the European Union or does business with EU residents. Having already taken effect in May, now is the time to start assessing your data and privacy security systems, tools, and practices to get on the right track towards compliance.
Below is our easy GDPR checklist that will help you make a GDPR assessment, operationalize any changes that need to be made, and make sure you maintain compliance with GDPR requirements moving forward.
You might not have realized it, but the GDPR was passed by the EU parliament in 2016, giving companies a two-year grace period to become compliant. For those playing catch up, it’s not too late to begin preparing to bring your data operations and infrastructure up to date. Proper preparation for EU GDPR compliance will save a lot of time, energy, and hassle in the long run.
The first step towards getting your organization on track to GDPR compliance is knowing who will need to be involved in the process. Assembling the right team of key stakeholders from the C-Suite all the way down to IT, and making sure they’re educated on what will likely need to take place, should be the first step in your GDPR assessment.
Make sure to obtain buy-in from senior management, as well, by stressing the heavy fines and penalties potentially associated with non-compliance. You might also want to begin thinking about forming a Readiness Team with a Data Protection Officer (DPO) who will spearhead any current and future data protection law issues and compliance efforts.
It’s important to recognize that there are two types of data generally covered by GDPR. The first type of GDPR data is personal data, which is information that could potentially be used to determine an individual’s identity. This could be anything from an email, phone number, or street address that consumers provide to companies on a regular basis so they can provide certain services. The second type of GDPR data is sensitive personal data, which are special categories of personal information that require strong protections. This usually includes biometric data (fingerprints, etc.), banking information, and social security numbers.
When updating your data privacy and protection policies to become GDPR compliant, it’s important to understand the most critical areas that the new regulation is impacting. Perhaps the biggest area you’ll need to update your policy and procedures in is user consent. Per GDPR, companies can no longer use illegible terms or complex legalese when asking consent from consumers to use their private data. You need to make sure the consent form is easy to access, intelligible, and that it gives the user the ability to withdraw consent at any time.
Getting just consent correct on its own, for many companies, will be the bulk of the heavy GDPR compliance lifting. But it’s also important for your new procedures to reflect two new consumer rights as outlined by GDPR: the Right to Access and the Right to be Forgotten. The Right to Access gives users the ability to request any and all records of how you’ve used their information, and the Right to be Forgotten allows them to ask that you permanently erase their data from your records. Work with your DPO and compliance team to ensure these capabilities are all built into your updated data privacy policies and procedures.
Once you have all the right pieces in place to properly tackle EU GDPR compliance, it will be time to implement and operationalize the framework you’ve put in place with your DPO and key compliance team. Successfully putting your plan into place will involve several moving parts, including working with any third-party data partners, and ensuring your data breach response plan matches new GDPR standards.
Coordinate with Third Parties
Whether it’s a technology provider, business partner, or outsourcing company, you’ll need to tackle the issue of any third-parties that are involved with your user’s data on a regular basis. Identify these third-parties and, along with the relevant stakeholders within your organization, go over your data processing agreements in comparison with GDPR. Under GDPR, any third-party data processors you use must also be in compliance with the new regulation. More specifically, if any of your third-party vendors are found not to be in compliance, your organization is liable for any fines or penalties. In many cases this may mean completely restructuring and renegotiating your contracts with these providers or selecting new ones altogether.
Primarily, you need to make sure that your partners have the capability to adhere to, and successfully comply with, potential access or erasure requests. It’s also important to note that GDPR contains a Third Country clause, which prohibits the transfer of user data to any country outside of the European Economic Area (EEA), unless certain criteria are met. If any of your partners are outside of the EEA, make sure that either the European Commission has deemed that country adequate, or be able to demonstrate to regulators that you have appropriate safeguards in place.
The next step of operationalizing your GDPR compliance framework will be successfully processing data on a regular basis, in addition to any requests you might receive from your users. Primarily, this will consist of requests for user records or erasures. You’ll want to document the legal mechanisms you’re using in accordance with GDPR when processing different types of requests involving different types of data as well. For example, the processing of special categories of sensitive user data require specific data consent to be obtained from the user.
Under GDPR, users may also request that the processing of their personal data be restricted or contested, for example, when it’s no longer needed for its original purpose. Companies will then need to cease processing of data until they can prove that they have compelling ground to continue. There are many ins and outs in terms of the granular data processing and request rules changes under GDPR, so it’s important to make your legal personnel a key part of your GDPR compliance team.
Respond to Breaches
GDPR defines a data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. And according to GDPR, each event must be documented comprising the facts relating to the data breach, its effects and the remedial action taken. For most organizations, the new data breach standards set by GDPR means that their cyber response practices, protocols, and processes will need to updated and upgraded.
Under GDPR, organizations are also required to notify supervisory authorities within 72 hours of a data breach that user information has potentially been compromised. Where there is a high likelihood according to GDPR that an individual’s data has been compromised, users must be notified without undue delay in addition to the proper supervisory authorities. They key elements to developing a robust, GDPR-compliant data breach response plan are training front-line staff on best practices, coordinating with third-party authorities, and providing clear guidance for your entire breach response team on what immediate actions to take.
Once you’ve begun operationalizing and refining your GDPR compliance processes, you’ll need to take proactive steps to make sure that you’re continually in compliance. As your business, data, and privacy practices change, you’ll want to make sure that you have the proper infrastructure in place that is nimble enough to adjust quickly and effectively.
As a part of GDPR, companies will need to continually demonstrate that they understand the accountability required by this new set of standards. You should be able to show evidence that the dissemination of up-to-date data protection policies has been approved by senior management. You should also be able to show staff are aware of, and properly trained on, aspects of GDPR that affect their specific job or role. GDPR affects more departments than you might initially think, so it’s important to map out anyone and everyone within your organization that handles data.
This could be anyone from call center and customer service staff, to the marketing department and human resources. You’ll want to schedule GDPR training sessions at least every six months, even if changes are minimal and not much time is required. Each department should also have up-to-date internal data handling procedures that are clear and easily accessible, in addition to a set of practices that deal with third-party data processing. A big part of EU GDPR compliance is being able to demonstrate to potential regulators that not only are your practices in compliance, but that you understand the concepts at play.
Anticipate Business Change
GDPR mandates that companies put in place procedures that define when Data Protection Impact Assessments (DPIAs) need to be initiated in relation to business change events. Examples of these key business changes include (but are not limited to) new technology systems implementation, changes in data processing procedures, or changes in third-party data handlers. Your DPO should always be consulted when any major technology or business change takes place that could potentially affect how user data is being handled so he/she can advise whether or not a DPIA should be triggered for compliance purposes.
You’ll want to be ready to provide a systematic description of the change taking place and the ways user data will likely be impacted. Document the potential risks to your users and your strategies to help mitigate those. Work with your DPO and compliance team to fill any GDPR gaps that come to light during large-scale business changes across all departments, personnel, and business units.
Protect Data Integrity
You’ll want to establish (and maintain) a data processing registry that will be a record and reference point for future GDPR regulations and compliance purposes. Your registry should inform internal staff (and potential regulators) as to the categories of your data subjects, the types of data you handle, and methods for locating specific transactions. While GDPR doesn’t specify a single format that your registry must be maintained in, it does require that regulators be able to clearly see that your data handling technology and practices are adequately protecting user data.
Finance, IT, and HR teams should all update and maintain your data registry when (and where) applicable. For example, changes in internal users who own specific data types, the physical location of the files, and changes in IT systems should all be documented and maintained in your registry. The goal is twofold: assuring that you’re consistently protecting data in accordance with GDPR and being able to clearly demonstrate to regulators how you’re doing so.
Finally, don’t be afraid to engage with GDPR compliance services that may be able to make the transition that much more seamless, worry-free, and cost effective. Now that you have your GDPR-made-easy compliance checklist at hand, you’ll be able to work that much more effectively with GDPR compliance services, partners, and internal stakeholders to keep you data safe and EU regulators satisfied.