by Donna M. Wilkinson
After years of dialogue, the European Union’s lengthy General Data Protection Regulation (GDPR) has been adopted and will become effective May 25, 2018. It may surprise some United States based companies that GDPR will apply to them. The regulation applies to all companies that collect and process EU consumer data or if goods and services are offered to EU individuals. GDPR is a wide-ranging piece of legislation passed by the EU and imposes a high duty of care on companies, with serious penalties for non-compliance. While some may view the new compliance requirements as burdensome, costly and unsettling, companies should view GDPR as a new opportunity to improve their data protection security practices. Here, we discuss five steps companies need to take now to meet the compliance obligations imposed by GDPR.
1. Assess data. Regardless of the company’s size or location, it is imperative it take stock of the type of data being collected, transferred and stored, and ensure it has consent to collect that data. Companies should document what data they hold, its source, and its purpose. This is a great start to organizing an information audit that can be used to help create policies and procedures, and to respond to audits. These reviews should be well documented and conducted routinely and whenever a new form of data collection is being considered.
2. Find GDPR gaps and create a plan. Once the company has assessed the data it collects, a map can be created to assess compliance with the GDPR requirements. This step will help in finding gaps of non-compliance and can assist in creating a more detailed plan of how to fill those gaps. Some important points to remember when creating a plan include anonymizing data whenever possible, deleting data as soon as the company no longer has a need for it and aiming to make the data associated with an individual easy to find in the event the individual asks for their information to be deleted. Finding the gaps is crucial - it is these non-compliance gaps that could cost the company a fine of up to 4% of global revenue or €20 million, whichever is higher.
3. Appoint a Data Protection Officer (DPO) and create policies. This is the time to invest in a privacy professional and/or appoint a DPO. If the company regularly and systematically monitors or processes EU personal data, the company is required to appoint a DPO, whose roles and duties are carefully prescribed by the GDPR. The DPO must be equipped with the tools needed to monitor the company’s compliance with GDPR. Before appointing a DPO, the company should have a policy in place that provides those tools and gives the DPO authority to draft additional policies and carry out GDPR accountability requirements.
4. Train staff. Staff need to be empowered with a basic understanding of GDPR. Not only is training a requirement under GDPR, training is an obvious solution to ensuring compliance with the new regulation. While there are no formal requirements for training length or topics, the training must raise awareness about data protection. This requirement is low hanging fruit for a regulator to issue a fine if not completed. Start to develop a training program now to make certain staff has the knowledge to protect the company.
5. Supervise Third parties. The company should assess all vendors who handle personal data on its behalf. This is a good time to review the requirements you already have in place with your third-party vendors. Come up with a checklist of issues that now need to be considered based on the type of business and data the company handles, and the new requirements of GDPR. This may require current agreements to be revised or amended.
The introduction of GDPR only increases a company’s risk of administrative fines and being named in a lawsuit as the new regulation is rolled out. The EU is taking a strict approach and companies need to begin addressing this strict regulation now. And don’t think Brexit gets the company off the hook. The UK Government has indicated that it intends to abide by GDPR despite its eventual departure from the EU. For more information, visit eugdpr.org.
Donna M. Wilkinson is Associate Agency Counsel at The Marketing Arm. She can be reached at firstname.lastname@example.org.