Now that the May 25th compliance date for the European Union’s (EU) General Data Protection Regulation (GDPR) has come and gone, the GDPR is now a reality that is expected to significantly change the way organizations process personal data and respond to data breaches. The regulation was adopted in 2016, will apply to organizations both in and outside of the EU and require them to institute new or enhanced data protection practices.
The first thing to you should do is determine whether the GDPR applies to your organization. Article 3 of the GDPR provides and overview of the regulation which applies to any organization that processes, holds or somehow controls or monitors the personal data of individuals in the EU, regardless of location or where the processing takes place. Consider the following:
- Are you established in the European Union?
- Do you have a physical presence in the European Union?
- Do you offer goods or services to individuals in the European Union?
- Do you monitor the behavior of individuals in the European Union?
If you answered yes, they you must comply with the GDPR.
Where do you start?
The best way to approach GDPR is with a practical detailed plan that engages participants from all the key functional areas of business. The following five steps will help you with the GDPR journey:
Step 1: Data Protection Officer (DPO) and Establish a Team or GDPR Working Group
Identify and designate someone that will have enterprise wide authority for data privacy and protection, budget, and resources. Identify organizational stakeholders that will identify and assess GDPR controls, conduct training, remediate control deficiencies, manage data breaches and maintain GDPR Program.
Step 2: Establish Governance, Risk and Compliance Accountability
Identify, categorize and tag every source and type of personal data. Inventory applications and assets that process, transmit or store personal data. Inventory your organization’s data processing activities to ascertain priorities.
Inventory and assess third-party processors in place as of May 2018 to identify any agreements and processes that need amendments to comply with GDPR. Screen third parties periodically and maintain engagement documents via contracts that integrate GDPR Program requirements. Review, update, retire or create new privacy policies, consents, and privacy notices to factor in GDPR requirements. Review GDPR controls periodically to assess their continued compliance and viability.
Regularly inventory data flow sources and conduct periodic Data Protection Impact Assessments for data processing activities that are likely to be high risk to a data subject. Implement the appropriate technical and organizational measures to show you have considered and integrated data protection into your processing activities. Utilize a GRC tool like ZenGRC to establish, monitor and manage your GDPR program. Integrate GDPR requirements into your audit and monitoring programs to evaluate their effectiveness. Monitor and audit your GDPR Program regularly for compliance and update as needed to reflect changes in regulations, operations, feedback, and review results.
Step 3: Privacy Notices and Consent
Review privacy notices to confirm GDPR-compliant content, delivery, and timing and update as needed. Review how you seek, record, and manage consent. Update privacy and consent notices as needed to ensure concise, simple, transparent, and timely consents that can be readily accessed, withdrawn and proven as evidence. Your processing activities and controls must comply with data subjects’ rights to access, rectify, erasure, object, and data portability and to lodge a complaint, among others.
Step 4: Establish a Data Breach Procedure
Ensure procedures for handling data breaches reflect a process that is timely detected, reported, investigated, and managed. Review and update data breach procedures so that protocols address timing and notification requirements for the EU Supervisory Authorities and individuals.
Step 5: Conduct Awareness Training
Conduct training to keep employees and third parties aware of GDPR organizational changes and internal controls that impact data protection and privacy. Deliver periodic GDPR notices and training to raise and reinforce awareness.
Keep in mind that GDPR is a wide-reaching regulation that may involve making several changes to your organization over the next few months. While the regulation is not a one-time project or initiative following a few simple steps may save you from noncompliance and being assessed with large fines.