By Chris Mermigas, Senior Corporate Counsel, US Region
The General Data Protection Regulation (“GDPR”) will soon be enforced. But how many employees, or executive members of your organization know what the GDPR is and why they should care about it? Is it IT’s problem? Is it Legal’s problem? Is it Sales’ problem? Whose problem is it? With the enforcement date of May 25th just around the corner, the time is now for organizations to ensure they have the right information regarding their GDPR compliance.
Who does it apply to?
GDPR is a regulation in European Union law that establishes rights and protections for the Personal Data of EU citizens. GDPR applies to everyone who handles or possesses Personal Data of EU citizens or otherwise monitors their behavior.
What is covered?
Personal Data is any information related to an identifiable natural person in the EU that can be used to identify that person, directly or indirectly. This includes but is not limited to: names, account numbers, photographs, email address, and IP addresses (“Personal Data”). It does not matter if this data was generated by a user entering their Personal Data or a third party providing Personal Data.
When does it apply?
Although GDPR has been in effect since 2016, it will finally be enforced starting May 25th, 2018.
Where does it apply?
GDPR has a global reach and applies to the Personal Data of EU citizens originating in the EU, regardless of where the physical location of the business or the Personal Data is located.
How to achieve compliance?
The obligations in the GDPR depend on whether your organization is a Data Controller or Data Processor.
• A “Data Controller” is an entity that determines the purposes and means of the processing of Personal Data.
• A “Data Processor” is an entity processing Personal Data on behalf of a Data Controller.
In general terms, Data Controllers and Data Processors are required to secure Personal Data. This means ensuring that all Personal Data is: (1) encrypted in transit and at rest, (2) collecting only the minimum amount of Personal Data required for operational needs, and (3) establishing a “privacy by design” structure. Privacy by design promotes privacy and data security from start to finish of the database and networks’ design process. Additionally, Data Controllers are required to verify their Data Processors are GDPR compliant.
Why should we care?
Companies who violate the GDPR can face a maximum fine of up to €20 million, or 4% of their annual gross revenue, whichever is greater.
To be successful and compliant with the GDPR, this has to be an organization-wide effort with cooperation from Legal, Marketing, Sales, HR, IT and Finance pulled together in a keenly devised and implemented plan of attack.
Once you have your organization leader’s attention, each organization then needs to examine how they identify, categorize and handle Personal Data. In a perfect world, Personal Data will be separated by the citizenship of the individuals identified in the data and the location where the data is collected.
Personal Data resides on different systems within your organization and is shared with external parties. Systems that you didn’t previously consider most likely hold GDPR Personal Data, such as HR systems and your organization’s shared network drives. This exploration into your organization’s data wormhole may seem overwhelming, but if you are not certain where all your GDPR data is located, then treat all the Personal Data and systems they reside on as subject to the GDPR. This does not mean that all data in every system needs to be compliant with GDPR; only those systems that contain or may contain EU citizen’s Personal Data originated in the EU will be walled off for GDPR compliance. This approach transfers the time an organization would take identifying EU citizens in each system, to additional time for an organization to establish dataflows and to secure the Personal Data in all GDPR systems. Once the organization has identified its GDPR systems/data, it is time to develop a dynamic evaluation and implementation plan.
STEP 1: Appoint Data Protection Officer / Raise Awareness
A “Data Protection Officer (DPO)” is required for all Data Controllers and Data Processors in any case where:
• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• the core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
• the core activities consist of processing sensitive data or Personal Data.
The DPO must have “expert knowledge of data protection law[s] and practices”, must report to the highest levels of management and not be assigned any other duties that would introduce a conflict of interest. Organizations may appoint single or multiple DPOs provided that each DPO is easily accessible.
Initially, the DPO will ensure that decision-makers and key members of the organization are aware that the law is changing and they appropriately anticipate the impact and potential risks of the GDPR. Then the DPO will team up with HR and Marketing on an awareness campaign conducted throughout the organization.
STEP 2: Dataflow Analysis
All Data Controllers, Data Processors and/or Sub Processors shall conduct a dataflow audit by documenting and understanding where the data came from, how it was collected, where it is stored, with whom and how it is shared or accessed. This dataflow analysis will identify all sources of data, all types of data relationships and what security is placed on the data, both at rest and in transit.
The dataflow audit shall also include a data life-cycle from data collection, saving, usage, transfer, processing, and storage/archiving to deletion. This is necessary for chain of evidence and should follow your organization’s/contractual record retention requirements.
STEP 3: Gap Analysis/ Risk Analysis
When all the dataflows are complete, a “gap analysis” between the current status of data protection compliance, and the obligations deriving from the GDPR shall be completed. The gap analysis will determine what systems need to be GDPR compliant, what security is required on those systems and prioritize systems for GDPR compliance to arrange the organization’s resources appropriately.
The prioritizations (in no particular order) of the implementation should be determined by weighing each system containing Personal Data subject to the GDPR:
1. Risk to operations,
2. Cost of implementation,
3. Timeline of implementation,
4. Legal and regulatory risk,
5. Potential contact with EU citizen’s Personal Data originated in the EU, and
6. Rights of the individual whose Personal Data resides in the system.
STEP 4: Build an Implementation Plan & Implementation Team
If it is determined from the results of Steps 1-3 above that the organization is required to implement GDPR security measures, then the DPO shall use the information gathered in Steps 1-3 to build a GDPR implementation plan and a compliance team unique to your organization.
A successful implementation plan should achieve all of the following goals:
1. Strengthened individual’s rights to their Personal Data,
2. Strengthened IT and physical security requirements,
3. Strengthened governance requirements, and
4. Strengthened contractual requirements with customers, consultants and vendors.
STEP 5: Implementation of GDPR
Along with organizing the compliance team and deploying the implementation plan in order to comply with GDPR, the organization shall implement:
1. A Data Protection Management System, which will include:
a. A data protection structure,
b. Concepts, policies and standard operating procedures,
c. Training applicable to employees about their obligations and responsibilities deriving from the GDPR, and
d. Documentation to demonstrate compliance with the GDPR requirements.
2. A Contract Management Strategy/System
3. Vendor Management Strategy/System
STEP 6: Data Protection Impact Assessment
Thereafter, on an ongoing basis, the DPO, alone or in conjunction with an outside consultant, shall conduct Data Protection Impact Assessments (“DPIA”), which shall assess the security, safeguards and governance mechanisms. The DPIAs are envisioned for mitigating GDPR risk while ensuring the protection of Personal Data and demonstrating compliance with GDPR.
Upon completing the DPIAs, the DPO will report possible gap findings and risks. The DPO shall use the gap findings to form an assessment to senior management.
Following the assessment, the DPO shall assist in the business unit’s implementation of the proposed safeguards and remediation measures.
STEP 7: Maintain Compliance
DPO shall continue to manage compliance by:
1. Creating and updating policies as GDPR evolves,
2. Maintaining controls to implement those policies,
3. Auditing and monitoring to ensure the controls operate effectively over time, and
4. Providing governance to document and communicate the results of the auditing.
The GDPR is not something that should be underestimated, but also is not something to be feared. It is an opportunity for companies with strong information the security and governance to excel, and for others to improve. This is the time to break down the barriers within the organization, and create partnerships with customers and vendors. Compliance with the GDPR requires a team effort from the smallest vendor to the largest customer. All GDPR Personal Data must be secured. The goal is to create and maintain a security shield, and achieve GDPR compliance.