Kickstarting your GDPR readiness program February 16, 2017 by Lewis Barr Over 50% of United States (U.S.) multinational companies recently surveyed by PwC reported that getting ready for compliance with the European Union (EU) General Data Protection Regulation (GDPR) is at the top of their data privacy and security agendas. Indeed, over 75% of them reported budgeting more than $1 million for GDPR readiness. Even though the Regulation’s effective date of May 25, 2018 remains 15 months away, it is not surprising that many companies are already prioritizing GDPR compliance given the comprehensive scope of the Regulation and the risk of whopping fines for non-compliance: up to the greater of 20 million EUR or 4% annual global revenue. Organizations without a permanent establishment or operational presence in Europe may be caught off guard by the Regulation’s reach, which extends to all organizations that offer goods or services to EU residents or monitor their behaviour in the EU regardless of location. While this extra-territorial assertion of EU authority may be subject to legal challenge, the reasonable expectations of EU residents and EU-based controllers will not. Consequently, all companies looking to continue to do business that involves the collection or other processing of EU personal data should now get cracking on planning for GPDR readiness. When to begin? As a zen mystic and your mother both might advise, there is no time like the present, especially because establishing GDPR readiness will involve defining or refining and implementing operational safeguards and procedures. It may also involve changes in the data collection-related functionality of your online properties, all of which may take over a year to accomplish depending on the starting point of how personal data is treated in your organization. Getting ready will entail training to build GDPR awareness and to put your plan into action. Watch our recorded webinar with TRUSTe: Kickstart Your GDPR Planning: Part 1 Where to begin is also easy to answer. If you are on the marketing, engineering, product or other operational side of the house, we recommend working closely with an expert privacy counsel to gain a thorough understanding of the Regulation’s requirements. But you and other stakeholders in your organization can gain firsthand knowledge of what the Regulation requires by investing the time to review the Regulation itself. With 99 articles to wade through (plus scores of recitals that explain the purpose and intent behind the articles), the Regulation may seem to be a daunting read, but on the Joycean scale of reading difficulty, it is closer to Portrait of the Artist as a Young Man than Ulysses. And just as there are good guides to James Joyce’s fiction, there are also those for the GDPR. To get you well oriented, the International Association of Privacy Professionals (IAPP) provides a good summary focused on The Top Ten Operational Impacts of GDPR. For a more detailed walk through of the Regulation’s requirements, including discussions of the key definitions (especially the critical personal data and anonymous data distinctions) and the principles on which they rely, see the White and Case handbook: Unlocking the GDPR and Bird and Bird’s guide to the GDPR. The White and Case handbook helpfully separates those Regulation obligations which pertain to controllers from those pertaining to processors while noting changes from the current EU data protection Directive, which the Regulation will replace. The Bird and Bird guide includes “to do” recommendations that can help your organization assess its GDPR readiness. Once your team has a solid understanding of what the GDPR requires, you can engage a cross-functional team to determine your organization’s GDPR compliance gaps. To start the readiness assessment, you should review your organization’s current privacy and data security controls, as they will comprise the baseline from which your organization will need to work to achieve compliance. Has your organization already implemented a privacy program and reasonable safeguards to secure the personal data it collects, stores and otherwise processes? If so, it will have a head start towards GDPR readiness. Either way, a great place to begin your organization’s analysis is by mapping or inventorying how data moves across your organization’s computer systems and vendor environment, and where and how it is stored and shared. If you already have a data map or inventory, be sure it is current and answers the following questions: Where is personal data collected? Where is the data stored? Who owns the storage facilities? What types of personal data are retained and in what format are they retained? In which country is the data stored? From which country is the data accessed? Is the data transmitted internationally? Does your organization transmit data to third parties? If so, for what purpose? How is consent collected? For what purposes are the data used? Once you have a current data inventory you can review the organizational and technical safeguards already being applied by your organization at the various points on the data journey to protect the data subject’s privacy and secure the personal data. Keep in mind that the GDPR Article 21 will require the use of appropriate safeguards for protecting the rights of EU residents and “ensuring that, by default, only personal data which are necessary for each specific purpose of processing are processed.” Are the following safeguards already being utilized? Data governance policy Privacy Impact Assessments Encryption of data at rest and transit Privacy and Security by default reviews at the product/service requirements-collection stage Data incident response plan Data retention and deletion policies Tested backup, business continuity and disaster recovery plans While you are still determining your current state of readiness, make sure you take into account all the vendors within your organization’s personal data environment and the controls they have implemented. For example, if your organization is storing data in the cloud or relying on processors who do so, is a leading vendor like Amazon Web Services being used for that purpose and are critical security controls made available from the vendor being applied to all the stored data so your protections are in line with best practice while being consistently applied? As a processor you’ll want to determine if your processing systems offer the following functionality: Granular consent and consent revocation mechanisms Easy personal data record access and portability via SFTP or other secure mechanisms Reliable, accessible logs of all personal data transactions Scoped access to personal data for users and integrations to limit access to personal data to extent needed to accomplish permitted purpose Age gating To assist in your organization’s gap analysis, you may use TRUSTe’s GDPR compliance guide and a free GDPR readiness assessment tool provided by OneTrust and IAPP. Also, if you are an IAPP member, you can take advantage of TRUSTe’s GDPR Readiness Assessment tool. With your GDPR gap analysis done, you’ll be able to establish and budget for a GDPR readiness program your organization can follow to meet the May 25, 2018 compliance date and join the well-deserved company of other organizations that have implemented privacy best practices for a better and more secure customer experience.