The General Data Protection Regulation (GDPR) is one of the most significant pieces of legislation that businesses will need to address over the next few months.
It will come into full force on 25 May 2018 and potentially requires significant organisational changes alongside substantial investment.
These are the steps you need to take to ensure the organisation is ready for the new regulation next year.
1. Brief the board and assemble a team
The first steps any organisation should take are to raise awareness of the changes, gather information on current practices and form a consensus as to the overall program approach.
The GDPR will affect almost every aspect of an organisation and its key stakeholders, from a range of business functions, including marketing, human resources, information security, legal, and product and website development.
A senior (ideally board-level) individual should have overall responsibility for the compliance program, along with the necessary authority and resources to justify diverting multiple stakeholders from a significant part of their day jobs.
2. Do not start with a clean sheet
The GDPR builds on and expands the basic principles under the current 1995 EU Data Protection Directive (the “Directive”). Although it introduces a number of new rights and obligations, many of the internal processes and systems can be re-used and adapted. Therefore, aim to build and improve what you have, rather than trying to “reinvent the wheel”.
Timescale: Step 1 should be undertaken immediately. Depending on the size and complexity of the organisation, allow at least 2 – 4 weeks to assemble a team and review the existing compliance framework.
3. Understand your business and data flows
The GDPR has significant extra-territorial reach. The Directive applies to entities processing personal data as part of their European establishments or using data processing equipment located in the EU.
Under the GDPR, entities without an EU business presence will potentially be covered if they offer goods or services to EU-based consumers or monitor the behavior of data subjects in the EU.
Similarly, businesses will need to examine their international data flows. The substantive rules on transfers outside of the EEA remain largely unchanged, although the penalties for non-compliance are now significantly higher and will need to be considered in the overall business risk assessment (see further below).
4. Understand the nature of the personal data being processed and the basis for processing
The definition of “personal data” is expanding and specifically covers “online identifiers”. In short, anything that contributes to identifying an individual, or that links to identifying information, will be caught, including cookies and IP addresses.
This is not an exercise in the analysis of legal concepts but an essential part of good data management – understanding what personal data is held and why it needs to be retained.
Consent is one (but not the only) basis for processing. If your business relies on consent, review your current policies and documentation, bearing in mind that you will bear the burden of proof in showing that consent has been obtained. For some categories of personal data, consent will be harder to achieve. Businesses should therefore also look at alternative bases for processing, such as the data controller’s legitimate interests.
5. Examine your roles.
The Directive currently imposes the main compliance burden on data controllers – the legal person who determines the purposes, conditions and means of the processing of personal data. Data processors acting on a controller’s instructions generally have much lighter obligations.
Under the GDPR, data processors will now be subject to much greater scrutiny and potential liability. Many companies which provide services to customers will fall within the definition of a data processor. If you are acting as a processor, you may be caught where you previously may not have been.
Timescale: The data audits envisioned by steps 3, 4 and 5 would need to be taken over a period of at least 2 – 3 months. Complex organizations are likely to require much longer periods and the use of significant internal and external resources.
6. Understand, assess and prioritise the risks
The potential fines for non-compliance are vast — up to 4% of the total worldwide annual turnover or €20,000,000 (whichever is higher).
This range of fines applies to many of the core provisions of the GDPR, including the six general principles of processing.
Putting that into perspective, data protection regulators will take into account various factors such as the nature, gravity and duration of the infringement, whether it was intentional and the categories of personal data involved.
Businesses processing significant volumes of consumer personal data or sensitive personal data are most at risk. Compliance efforts therefore will need to be prioritised.
Absolute compliance with the GDPR is unlikely to be feasible (in the same way that relatively few companies comply fully in all respects with the current data protection regime under the Directive).
Board-level input will be required on the organisation’s risk appetite, along with its available resources and budget for compliance, bearing in mind the significant risks of non-compliance.
Senior management should designate the individuals who will formulate a plan, assemble the wider team and be responsible for the GDPR compliance program.
Timescale: 4 – 6 weeks.
7. Review internal procedures for data breaches
The GDPR introduces, for the first time, pan-European data breach notification rules. Previously, data breach notifications were mandatory only in some EU countries, such as Germany and Austria.
Companies should draft or reassess their data breach response procedures accordingly and work with their IT teams to review and implement appropriate technical and organisational safeguards.
Data controllers must compile an internal breach register, regardless of whether a breach triggers notification. The register should include detailed facts about each incident, its effects and remedial action taken.
Businesses should consider adopting a cybersecurity framework such as ISO 27001-2 and carry out regular tests and internal training.
In addition, businesses will need to review their insurance coverage for cyber risks, as well as security and breach notification clauses in their vendor contracts.
8. Review internal systems and processes.
While some of the new and enhanced rights under the GDPR are relatively simple in concept – such as the right to erasure or the right to data portability – implementing them in practice will be more complex and may require changes to underlying technologies.
For example, can existing processes and databases segregate information which is subject to restrictions on processing? Can personal data be provided to the data subject exercising the right to data portability without including a third party’s personal data where records are intermingled?
9. Prioritise compliance
Following an assessment of current processes, business should plan and prioritise the compliance obligations which: (1) are likely to have the most significant impact on the business, and (2) require the longest implementation or remediation timeframe.
For example, the system changes noted above may require complex contract changes. Certification to technical standards such as ISO 27001 is a time-consuming process.
Similarly, re-negotiation of legacy contracts to reflect the different allocation of risks under the GDPR is likely to take several months.
Timescale: Implementation of steps 7, 8 and 9 is likely to take 3 – 4 months at a minimum and could easily exceed 6 months for large, data-intensive organisations.
10. Secure long-term investment
Compliance with the GDPR will require ongoing investment of internal and external resources. In particular, training programs should be tailored to the business and refreshed at regular intervals or in response to specific events such as data breaches.
Businesses which regularly and systematically monitor data subjects or process sensitive personal data on a large scale will need to appoint, or designate, a Data Protection Officer. This will be a senior and independent role within the organisation, reflecting the critical importance of data protection compliance to the operational and financial health of a business.
Timescale: Ongoing review.
Huw Beverley-Smith is a partner in the London office of leading law firm, Faegre Baker Daniels.