By now you’ve probably heard talk of the General Data Protection Regulation, or GDPR. GDPR is a comprehensive EU regulation that affects people and organisations everywhere and failure to comply creates significant and ongoing risk. With the May 25th deadline for GDPR compliance looming, many organisations have already started programs to ensure their readiness. But if you haven’t taken steps toward GDPR compliance, you’re not alone. Here are the top four actions your organisation needs to take right now.
1. Understand What GDPR is and Your Organisation’s Responsibilities
Your first action as an organisation is to understand at a broad level what GDPR is and what your organisation’s responsibilities are.
Put simply, the primary objective of the GDPR is to give citizens of the EU control of their personal information. The GDPR sets a broad definition for personal data—any information relating to an identifiable person who can be recognized by an identifier, such as name, location, or email. It establishes official terms describing the nature of an organisation’s relationship to that data (as a “Data Controller” or “Data Processor”) and outlines specific responsibilities to protect, control access to, and dissemination of that data. This is based on an assessment of the risk that data could pose to the person if it is released or lost.
GDPR also spells out requirements like the “right to be forgotten,” which has caused much discussion and concern in the last year or so. While the Regulation is clear on what an organisation’s responsibilities are, it leaves room for businesses to decide how to meet those responsibilities by establishing their own “technical and organisational measures”[1]. These might include some methods suggested in the Regulation but don’t necessarily have to be. It also sets significant penalties for organisations found to be in violation of the Regulation.
Once you have a better understanding of the General Data Protection Regulation, you should find out what your company’s responsibilities are. For example, if you are a U.S.-based company, and only have employees in the U.S., you still need to ensure compliance with any European customers’ or prospective customers’ personal data. Compared to prior regulations, GDPR expands the definition of personal, protected data, the definition of who is protected, and many of an organisation’s responsibilities beyond the levels set in previous legislation. Collaborative Solutions recommends using the following resources to understand the finer details of the GDPR and how they affect your organisation.
- https://www.eugdpr.org/
- https://gdpr-info.eu/
- https://www.superoffice.com/blog/gdpr/
- https://ec.europa.eu/info/law/law-topic/data-protection_en
2. Recognize Your Corporate Position on Compliance
Your second step for GDPR compliance is to understand what approach your organisation will take to comply. There is no cut-and-dry, one-size-fits-all approach that can be followed the same way by every organisation to ensure compliance. Given the wording of the Regulation, organisations have both a fair amount of flexibility and responsibility to determine what makes up the correct set of technical and organisational measures[1] to ensure the data they’re responsible for is appropriately protected. Not all organisations will track information with the same level of risk to the data subjects, have the same tools at their disposal, or be able to devote the same amount of resources to their compliance programs.
Finding your organisation’s sweet spot for GDPR compliance is a matter of evaluating the cost and options for compliance, against the risk level and cost of inadequate compliance. That cost can come in terms of some steep fines, but don’t forget to consider the other costs of non-compliance. Losses due to bad publicity and lack of customer confidence can be as bad or worse for the balance sheet than the fines themselves. And speaking of fines…
The Regulation gives guidance on which types of offenses are likely to be fined more harshly and which may receive lesser fines. While the maximum fines are considered unlikely to be charged in most cases, the Regulation is clear that fines are intended to be “effective, proportional, and dissuasive”. While they are not meant to put a company out of business, they are meant to be memorable.
Aside from GDPR, organisations routinely make decisions about the nature and level of investment they will make to support compliance efforts in many areas. In the same way, your company’s position on GDPR compliance investment is a strategic business decision. It should be aligned with your overall compliance approach and be made with the guidance of informed internal stakeholders and external legal guidance.
3. Learn Who in Your Organisation Has Taken Steps Toward Compliance and Work Cross-Functionally
The next step toward GDPR compliance is creating a cross-functional alliance. Make sure you sync up with all departments to understand if and how they’ve begun preparing for GDPR to go into effect. While you have been considering the impacts of GDPR in your own area, other groups within the organisation are likely to have protected data as well.
What GDPR items could be at play in your organisation? Here are a few examples, but there could be many others.
The responsibilities of GDPR are new and sometimes overwhelming for departments who have not had to address compliance previously, but it’s important to remember that your organisation has employees who deal with compliance issues daily. Reach out to your colleagues in other impacted departments or departments who are familiar with compliance issues (such as, HR, IT, Audit, and Legal/Compliance) to see what compliance efforts may already be underway. You might be able to leverage some of the work they have already tackled, such as risk assessments or policy modifications. At the very least, you may find that someone else has already socialized the issue of GDPR compliance with senior leadership and gotten some momentum going.
Remember, every team or function that handles any kind of protected data should have an active role in the project.
4. Review Core Business Systems to Understand Data Use
Your fourth immediate step toward compliance is to begin your data inventory and risk analysis. While completing this effort for all your systems may not be possible by May 25th, showing a good faith effort toward compliance and a solid roadmap for future completion will demonstrate that your organisation is taking the legislation seriously, if you’re challenged by the EU.
All successful GDPR compliance programs will need to have some version of data inventory and risk analysis included in the program. You will need to identify all the protected data your organisation stores/processes, who has access to that data, and where you may send it outside of your own organisation (e.g., third-party tools or vendors that use that information). Start by reviewing your core business systems and technology to understand the type of data you’re storing in them, and the technical capabilities of your systems to support compliance.
- Where do we keep sensitive data, and/or where do we transfer it?
- Who has access to personal data?
- Do we share personal data with third parties? Do they share it with other entities?
- What processes do we have in place to safeguard personal data?
- How do we respond to requests to view, correct, or delete this data?
While data inventory and risk analysis are very technical activities, they lead to some business requirements that may need to be discussed, reviewed, and documented:
- For what business purpose do we collect personal information?
- How long do we keep personal data?
Fortunately, most vendors (including Workday) include several compliance tools and are making their systems very visibly compliant. You should be able to access the steps many vendors have taken to ensure GDPR compliance on their websites or corporate blogs. The tools and information these systems provide will be key elements in your overall compliance program but remember to think of them as building blocks and not a single fix to a complex set of requirements. It is up to you as the Data Controller – the organisation collecting and processing data – to develop a comprehensive program featuring both technical and organisational measures[1] that address the full spectrum of your responsibilities under GDPR.
As you can see, the GDPR is wide-ranging and has serious implications for organisations found not in compliance. With less than one month until the Regulation goes into effect, and no sign of a delay of enforcement on the horizon, it’s crunch time to take these four steps!
GDPR is setting the new norm for data protection and will continue to evolve as different types of compliance efforts are held up to legal scrutiny. For more information on how Collaborative Solutions’ Strategy & Transformation consultants can guide your organisation in building a roadmap for your journey to compliance, contact us here:
[1] “Technical and organisational measures” is phrasing used in the General Data Protection Regulation to describe what an organisation should establish to become compliant, without defining the exact measures that a company should adopt.
Notice: This blog is for discussion purposes only. Collaborative Solutions is not licensed to provide legal advice of any kind and is not an authority on the interpretation of the GDPR or any other rule or regulation. To understand how the GDPR or any other law impacts you or your business, you should seek independent advice of qualified legal counsel.