There is now only three weeks until the EU’s General Data Protection Regulation will take effect, and many organizations are scrambling down to the wire in order to meet the new data privacy mandate.
The stakes are high. Failure to comply can invite a fine of up to four percent of global annual revenues.
Companies familiar with the EU privacy directive will notice that the GDPR expands and adds specificity to the directive’s privacy protections. Those not familiar with the EU directive may find it more challenging to put the concepts into practice. And since there is no official pre-set certification for GDPR compliance, it’s wise to avoid costly mistakes by adhering to, or at least acknowledging, some best-practice advice.
A potentially huge mistake is to regard GDPR compliance as a one-time event rather than an ongoing process. It is not like SOC or ISO certification. Since there is no specific certification, compliance is based largely on certain “appropriateness” standards and it’s up to each organization to determine what that means.
It is more of an evolutionary process, and, like many aspects of your legal landscape, meanings and definitions may change as case law evolves. That is why, to avoid a third mistake, it is important to use legal counsel, either in-house or external, who has experience with EU data privacy laws.
Legal counsel can help in several ways. You may want to ask for a legal opinion on the state of your GDPR compliance, for instance. This would not be binding, but may help if your GDPR compliance is called into question.
Also, in GDPR parlance you will be considered either a data controller or a data processor, depending on your role within the GDPR framework.
A data controller, or DC, is the person or organization that determines the purposes or the means of the processing of personal data; a data processor, or DP, is the person or organization that processes the personal data on behalf of the DC. As with Logtrust, some organizations may fill both roles, with respect to different data sets or different purposes for which data is processed. You can find greater GDPR detail at sites such as this.
In addition to offering general guidance, experienced legal counsel will be helpful in writing your required data processing agreements. The contract itself is very much standardized and resembles a BAA, or business associate agreement under HIPAA, but as with all contracts it will benefit from legal oversight.
GDPR is for SMBs too
Some organizations may assume GDPR is meant only for large multinationals. It’s not. Any company that stores and processes data in products or services will be affected if those products or services may end up in EU-related hands or process data of European data subjects.
Likewise, collecting data from European data subjects for lead generation or other marketing purposes may put you in view of GDPR oversight. And if you have an employee in an office in France, Germany, or other EU country, you’re subject to the GDPR’s regulations.
(The UK is still considered an EU member state, including for purposes of the GDPR, and is looking to its newly passed version of the Data Protection Act to stay in compliance. There will be some differences, however. Here is an overview of the new Data Protection Act.)
Know your data
GDPR allows just 72 hours for notification of a data breach to the supervisory authorities. The notification has certain formal requirements and includes detailed disclosures. Affected data subjects also have to be notified without undue delay.
Think about this short period when you suddenly discover some data has been hacked, and you have to find out how and why and to what extent. Imagine your teams scrambling around to find answers in such a high-stress situation. That is why, in addition to clearly written policy, you should train staff in advance so they are ready to respond. In addition, you should employ reliable tools and mechanisms that can rapidly provide clear visibility and accessibility into your data. Time is of the essence in such a situation.
Company-wide communication is key
GDPR compliance should be viewed as an ongoing process, and so should the process of communicating its requirements and likely impact to people throughout the organization. You should hold periodic meetings with IT and legal staff to discuss changes in the regulations and to answer any questions about GDPR implementation.
GDPR may also affect an organization’s HR function if it has employees in the EU. The personal data of European employees is subject to protection under GDPR. You should therefore also take care in addressing employees to make sure they understand how GDPR represents a substantial improvement in safeguarding their privacy.
Protecting employees is, after all, a key objective, so written communications should be clear and uncluttered, and should not come across as just another edict from management. Even better, hold regular employee meetings, quarterly, perhaps, to discuss concerns, questions, and any changes in compliance policy.
Finally, communication should also travel upward to executives and a company’s board of directors. Compliance is an important part of their responsibilities. In fact, GDPR compliance should be an integral part of any company’s data privacy and security program, which fits within the larger context of risk management.
Today’s best-run companies have recognized that and have made a top-level risk-management program an essential piece of their company strategy.