Going into effect May 25, 2018, the General Data Protection Regulation (GDPR) represents the most sweeping changes to EU data privacy laws in 20 years. However, signs are growing that companies are ready for the new requirements, including a new UK report showing fewer than half of organizations have made preparations.
Companies that sell products or services to people in the EU will need to comply with the new regulations or risk a fine of up to 4% of revenue or €20 million, whichever is greater.
In today’s post, we’re examining what companies need to do to get in compliance with the fast-approaching regulatory deadlines.
Inform Your Team
One of the first steps in getting ready for GDPR is to make sure key stakeholders in your organization are aware of the upcoming changes. Everyone needs to be on the same page about what it’s going to take to achieve compliance, since the transition may require significant resources.
As you put together your GDPR compliance team, you’ll want to ask whether your own legal and IT departments can realistically meet the deadline. If resources are limited, it’s worth considering whether outside consultants can help avoid a patchwork approach likely to contain gaps.
Building your team should also include designating a Data Protection Officer responsible for managing compliance. It’s a best practice and a formal GDPR requirement for certain companies like those that perform large-scale monitoring or data processing.
Review Data and Documentation
Your organization will need to review all the personal data you have on individuals, as well as where you obtained it and how you share it. You’ll also need to review existing privacy notices, a key focus of GDPR regulations requiring information such as:
- Purpose of data collection
- Types of recipients you may share the data with
- Data retention period
- Data subjects’ rights
Privacy notices must also be written in plain language, so you’ll need to avoid legal jargon. Overall, this review process will help you comply with key GDPR documentation requirements.
Analyze Your Gaps
As you review your organization’s current approach to handling personal data, you’ll want to conduct a gap analysis against GDPR requirements. Major areas to focus on include:
- Right to data: Your data processing methods must cover the individual rights outlined in GDPR. These cover elements such as the right to access, rectification and deletion, as well as the right to file a complaint.
- Data access requests: Organizations will have one month to respond to data requests, as opposed to the current 40 days. This is important to think about if you field a large number of requests.
- Lawful basis for processing data: This element needs to be included in your privacy notice, and it will also impact rights individuals have regarding their data. For instance, if the person’s consent is the basis for processing, he or she will have more rights to delete it.
- Individual consent: The UK’s Information Commissioner’s Office (ICO) provides detailed guidance on what consent means under GDPR, including that it must be specific, clear and opt-in.
- Children and parental consent: GDPR covers specific protections for children’s data, and organizations may need a parent or guardian’s consent for those under 16.
- Data breach protections: You’ll need to review procedures for how you will handle any data breaches, including how you will identify and report them.
Assess Risk of Compliance Gaps
Once you have a list of individual compliance gaps, you need to create a comprehensive plan to fix them. Many companies are currently behind the curve when it comes to GDPR compliance, so if you’re looking at a long list of to-do’s you’ll need a way to prioritize them.
A formal risk assessment of each compliance gap can help you do that, also allowing you to document each risk item in a centralized Risk Register for more efficient tracking. Ideally, these tools would be integrated with other areas of your Quality Management System, such as Change Management and Document Control functions.
Conduct a Data Protection Impact Assessment (DPIA)
We talk a lot about the benefits of proactively reducing risk at the design phase, and it’s a principle that also applies to data processing. Within the context of GDPR, the idea of “privacy by design” is now a regulatory requirement. In specific situations where handling data presents a high risk to people, you’ll need to conduct a formal Data Protection Impact Assessment (DPIA).
Clearly, organizations are looking at a mountain of requirements and a very short timeline to comply with them. To avoid a multi-million dollar fine or reputation-wrecking data breach, focus on a building a comprehensive, proactive strategy supported by your QMS processes.