Getting Started with GDPR
I’m sure that many of you have seen the acronym “GDPR” by now and probably know that it is compelling many organizations to take action. But, what is GDPR and what should you be doing to prepare for it?
Back in 1995, the EU issued a Data Protection Directive to protect the personal information of EU persons. The Directive was implemented in 1998 and helped to frame data privacy concerns in the EU and in the US. In 2016, the EU decided to replace the Data Protection Directive and wrote the General Data Protection Regulation (“GDPR”). The GDPR enhances the protection and security of personal information in the EU and will be executed on May 25, 2018. Generally, the GDPR covers personal data and information on EU companies, persons and organizations that is stored, and/or processed. There are steep fines associated with non-compliance with GDPR and the breadth of coverage will impact many organizations around the globe.
Companies that are impacted by GDPR have several key obligations to comply with the new regulation; Governance, Data Protection Assessment, Data Protection Officer, Security, Consent, Breach Notification and Data Transfers.
The first obligation is around Governance. Does your organization have the appropriate policies, procedures, training, education and compliance monitoring? Are your policies up to date? Are they comprehensive? Have you defined roles and responsibilities around data privacy? Do your procedures support the policies? Are they being practiced throughout the organization? Do you have a training program to educate employees on the policy requirements? Do employees have to acknowledge that they understand the policies? Are there metrics to measure compliance with policies? How do these metrics get reported to leadership? What steps have been taken to improve compliance? These are all important questions to ask around the governance obligation.
Next is the obligation to perform a Data Protection Impact Assessment (“DPIA”). The GDPR obligation is to assess the systems and applications that either store or process personal data and information. Where is this information being stored and maintained? Which applications use this information for processing? How is this information being protected today? What are the gaps and vulnerabilities? Is there a process to assess new systems and applications for compliance with GDPR before they are implemented in your organization? What are the remediation strategies to mitigate gaps and risks that are identified?
Another obligation is that of the Data Protection Officer (“DPO”). Some organizations will need to create this position within their organization. These individuals should provide oversight of the organization’s data protection strategy and compliance with the GDPR. The DPO will also ensure the education and training of employees, conduct audits to ensure compliance, provide direction to the organization and be the point-person between the organization and authorities.
Security is of course fundamental to the GDPR. Data and information must be secured and protected to prevent breach. Cybercrimes, hacking and data breaches have been increasing and damaging people and organizations for the last several years. The GDPR mandates that this information must be protected, and organizations should consider measures such as; encryption, data loss prevention (“DLP”), access controls, identity management, firewalls, virus protection and unified threat management (“UTM”).
Consent is another key GDPR obligation. Consent was a part of the original EU Data Protection Directive, but the GDPR has a more robust definition of consent. While the former Data Protection Directive accepted the notion of “implicit” consent, the GDP requires the data subject to provide “clear affirmative action”. An affirmative action could be written consent or checking a box on a form. Consent must also be freely given and informed, and children cannot consent without an adult. These are more rigorous actions than previously required and organizations need to be well aware of the consent requirement and put in place policies and procedures around obtaining consent.
Breaches have been a too frequent occurrence over the last few years. Breaches occur in every industry and just last year over 5,000 records per hour were lost in a breach. On average, a breach costs an organization $3.6M not including the loss or damage to reputation. The GDPR obligation for breach notification requires organizations to report a breach within 72 hours. This notification must include a detailed description of the breach and the steps that have been taken and will be taken to remediate the breach.
Data transfers is another key element of the GDPR. The GDPR mandates that all data transfers outside of the EU are ONLY allowed with the appropriate safeguards. Countries that data will be transferred to must have laws and rules in place that provide “adequate” levels of personal data protection. Transfers are also allowed with specific contractual terms.
The GDPR threatens fines for non-compliance of up to $20M euros or 4% of a company’s annual revenue whichever is highest. These are significant fines and again do not include other costs such as loss and damage of reputation and the costs associated with a breach which again average nearly $4M per breach.
So the question that many organizations are still dealing with is what should I be doing to prepare for the GDPR?
We recommend some practical steps that not only will help prepare you for the GDPR, but are also simply good business practices. Even if your organization is not impacted by the GDPR right now, there is a good chance that some if not all of the GDPR obligations will be absorbed and promoted by other industry regulators. For example, the State of New York, just last November, proposed a very similar set of requirements for securing and using personal data and information on New York State residents. The steps that you can take to prepare for the GDPR include:
Know your data. This is aligned with the DPIA in the GDPR. Assess if you have any personal data or information involving EU persons on your systems and or if you process any personal information as part of your business. Know where that data is located, who has access to it, is it being protected as it should?
Establish an Information Governance (IG) program. A good IG program is composed of many of the key elements relevant to GDPR compliance. You should have a comprehensive IG policy that includes roles and responsibilities, approved repositories and systems, records retention including archives and backups, and data security. An IG program should include a cross-functional team that provides oversight and recommendations around topics such as data security, risk mitigation, training and compliance.
Have a GDPR strategy. Do you need to establish a DPO? Develop a breach notification process. Develop a process to identify when consent is required and how to obtain consent in compliance with GDPR obligations.
These are three examples of strategies an organization can take to not only prepare for the GDPR, but to position themselves for the evolving security, data protection and information governance challenges that lay ahead.