The EU’s General Data Protection Regulation (GDPR) is coming in May 2018 and preparing for it will be a time-consuming and daunting task.Too many organizations are not prepared. Gartner expects that, by the end of 2018, over 50% of companies affected by the GDPR will not be in full compliance with its requirements.
So, for those of you with an uncomfortable feeling that you might be one of the unprepared (and you are not willing to risk sanctions for noncompliance), take a look at what immediately requires your attention.
• See if GDPR is applicable to your organization
You might say, “But hey, my organization is not based in the EU so it’s not relevant to us.” Not so fast! GDPR does not only affect businesses within the European Union. Any organization processing personal data related to the offering of goods and services (even if for free) to, or monitoring the behavior of, data subjects within the EU are also affected. So this will affect many organizations outside the EU too!
• Appoint accountability
The new GDPR legislation states that any organization whose core activities involve “regular and systematic monitoring of data subjects on a large scale,” or large-scale processing of “special categories of personal data” needs to appoint a suitable, competent Data Protection Officer (DPO).
• Understand how GDPR affects your processes, data and systems
You must identify and document the business processes where personal data is involved and also document how this data is processed. You must understand and assess the (privacy) risks associated to the business processes as well as supporting IT systems, plus you must implement controls and procedures to ensure data is kept confidential, is accurate, and is available when needed. And documentation only is not sufficient, you need to evidence the effectiveness of your measures, requiring continuous auditing and testing activities.
• Check your suppliers
Outsourcing processes does not remove your responsibility towards GDPR compliance. It’s still your problem! Where third parties or outside vendors are involved in your processing operations, you need to make sure they have the right control measures in place to secure and safeguard data privacy as well.
• Ensure explicit and transparent consent of data
GDPR requires that people explicitly consent to the acquisition and processing of their data. Pre-checked boxes and implied consent are, in most cases, not acceptable anymore. Your current privacy statements and disclosures need to be reviewed and - where needed - created or adjusted.
• Prepare for access requests
You also need to make it easy for customers to withdraw consent if they wish. There is a new statutory “right to be forgotten" for data subjects who want their data erased. Under the GDPR, organizations have the obligation to also ensure erasure with all other parties with whom this data is shared. Also, the right of individuals to receive a copy of their data in a readable, portable format (data portability) aims to increase user choice of (online) services.
• Implement processes for reporting data breaches
A GDPR-defined personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
• Check your cross-border data transfers
In case of international data transfers it’s important to ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognized as having adequate data protection regulation.
GDPR is something you cannot run away from, and there is clearly a lot to do to prepare. Now is the time to start!