You probably don’t have to be reminded that the effective date for the European Union (EU) General Data Protection Regulation (GDPR) is just days away on May 25, 2018. Although you may think it doesn’t apply to your business, U.S. companies that collect personal data of EU citizens are required to comply with GDPR.
If you are like many organizations affected by GDPR, you may have been preparing for months and invested significant time assessing your operations to ensure your compliance. On the other hand, you may be like the majority of U.S. organizations that are required to comply with GDPR who have not spent quite as many hours preparing for the compliance deadline.
If you are trying to understand the GDPR, whether your company is affected by the GDPR, or whether your company is GDPR compliant, you are not alone.
A recent survey of a group of U.S.-based organizations subject to the GDPR revealed that only 30% expected to meet the GDPR deadline. Neglecting the deadline is, however, a dangerous path, as the penalties for non-compliance are severe and can be extremely costly.
For U.S. companies, protecting personal data and complying with data privacy laws is not a new concept. Similar data privacy regulations have been in force in certain industries for quite some time:
- Healthcare: Health Insurance Portability and Accountability Act – HIPAA
- Financial institutions: Gramm-Leach-Bliley Act – GLBA
- Employment screening and consumer credit: Fair Credit Reporting Act – FCRA; and
- Commercial email: CAN-SPAM
As evidenced by the 20% year-on-year increase in the number of companies obtaining ISO/IEC 27001 certification (the international standard for information security), compliance with data privacy laws and implementation of standards to support compliance is a top priority for most companies.
Who is subject to GDPR requirements?
Any business that handles the personal data of an individual living in the European Union (EU) must be compliant with GDPR requirements. So, if an organization has EU employees or offers goods or services to citizens in the EU, or it has an outreach to people on a global level, it is very likely that the regulation directly impacts the organization. It’s also important to note that GDPR applies to any size company, regardless of revenue or number of employees, although some GDPR provisions may not apply to your operations if certain company-specific criteria are not met.
What is the GDPR?
Created as a framework of requirements designed to standardize data privacy laws, GDPR was enacted to provide individuals with more control over their personal information. In addition to increasing the rights of individuals regarding the privacy of their personal data, GDPR is intended to consolidate EU regulatory requirements for data privacy and streamline business obligations designed to address compliance.
Understanding what type of personal data falls under the new regulation, and how to manage that data is critical to ensure compliance. All companies that process personal data of EU citizens should undertake an in-depth review of the GDPR to determine the steps to take and documents to prepare or modify to develop a GDPR-compliant data security program.
GDPR – The Highlights
- Personal data is broadly defined to include any information that can be used directly or indirectly to identify a person (e.g., name, email address, computer IP address, banking or medical information, etc.).
- Rights of the individual or “data subject.”
- Consent and right to erasure: Where a company processes personal data on the basis of consent, the GDPR imposes strict requirements on how to obtain such consent, including informing the data subject of the right to refuse or withdraw consent, and the organization is required to delete that data if the individual requests to do so, or if the data is no longer needed.
- Data portability and access: Individuals have the right to obtain and reuse their personal data (including emails and photos) for their own purposes. Organizations will be required to provide the data in an approved format.
- Rectification: Any individual can require an organization to correct any inaccurate data that relates to their personal information maintained by the organization.
- Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
- Data Privacy Impact Assessment (DPIA): A process designed to identify risks arising out of the processing of personal data and minimize the risks. A DPIA is mandatory where the data processing is likely to result in a high risk to the rights and freedoms of the data subject.
- Data Protection Officer (DPO): An individual appointed by an organization that is responsible for managing the processing of personal data and that acts as an independent advocate for the proper care and use of such data. This individual oversees compliance with the GDPR both within the organization and with vendors and suppliers. The requirement to appoint a DPO depends on the core activities of the controller or processor.
- Data Breach Notification: If a controller experiences a data breach, it must inform the supervisory authority within 72 hours after having become aware of it.
The purpose of the GDPR is straightforward – to enable EU data subjects to control their personal data, and to ensure that the companies that process personal data comply with the applicable provisions of the GDPR and handle personal data appropriately. However, the requirements of the GDPR are both extensive and detailed. All organizations that collect or process personal data of EU citizens should seek the advice of counsel or other knowledgeable advisors to assist in their assessment of the impact of GDPR on their activities.
GDPR Readiness-Check: Three Basic Steps
To ensure all personal data maintained by your organization is secure and managed properly according to GDPR requirements, you must first determine if you are a controller or processor processing the personal data of EU citizens. From there, organizations should focus on three main tasks: Finding the personal data in its systems and repositories, confirming document compliance, and managing ongoing compliance.
Step 1: Identify and inventory “personal data”
To accurately assess regulated data, you must first find it so you can then store it according to requirements and access it easily for ongoing compliance.
The EU constructed GDPR regulations around one type of information: personal data. Essentially, the GDPR defines “personal data” as just about any information related to an individual. Officially, it is defined as:
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Knowing the location of your data and having controls in place to manage it correctly is just as important as analyzing which data to protect. Make sure to:
- Document the personal data your organization maintains, where it came from, and why you legally maintain it;
- Develop and implement internal processes, procedures, and security controls for storing, managing, sharing, and transferring personal data;
Identifying the personal data collected within your organization and organizing and processing it in a manner consistent with GDPR is the first step to initial and ongoing compliance.
Step 2: Educate team members and confirm process compliance
In addition to identifying and securing personal data, organizations should examine their internal policies, procedures, and documents to assess GDPR compliance.
- Educate all individuals processing personal data within the company about GDPR and its implications;
- Streamline internal processes and procedures to secure personal data (such as that of customers, partners, and employees), and implement appropriate controls;
- Develop internal and external audit procedures for monitoring ongoing compliance by the organization and by the third-parties processing the personal data controlled by the organization; and
- Implement procedures to detect, report, and investigate a personal data breach to comply with notification requirements.
Educating your team and standardizing GDPR compliant provisions in the organization’s policies and procedures supports the implementation of compliant processes.
Step 3: Confirm document compliance
Importantly, all documents that involve the organization’s collection and processing of personal data, including contracts, should include GDPR-compliant provisions.
- Update current policies and procedures related to handling personal data to comply with GDPR data handling practices;
- Conduct a thorough evaluation of internal contract management processes to determine capabilities and potential exposure to liabilities that relate to GDPR requirements for personal data;
- Ensure all in-force contracts, including customer, vendor, and third-party agreements, include required GDPR provisions; and
- Ensure all third parties which have access to personal data your organization processes are GDPR compliant, and your agreements with them include the necessary privacy terms and clauses.
Step 4: Manage ongoing compliance
Implementing internal processes and procedures based on best practices and outlined requirements to support ongoing compliance is the final step in your GDPR readiness checklist.
- Designate an individual within the organization to be responsible for data protection compliance, and to serve as the point of contact between the company and GDPR Supervisory Authorities, if applicable;
- The GDPR regulation requires some organizations to designate a Data Protection Officer (DPO); a person who is principally responsible for the secure protection of personal data. However, if an organization does not fall under the requirements to designate a DPO, managing compliance through a responsible individual or an independent resource with the required expertise is important and valuable.
- Review GDPR requirements regularly and update organizational processes and procedures related to handling personal data accordingly;
- Implement internal training programs to educate employees on all policies, processes, and procedures related to GDPR requirements, specifically those involved in the processing of personal data;
- Schedule regular security audits to confirm compliance with the regulation, both internally and externally for partners and vendors; and
In addition to designating an individual or information security team to oversee the proper handling of personal data, implementing technologies that provide insight into an organization’s information security program can support efficient GDPR management and ultimately reduce the risk of the hefty penalties associated with non-compliance.
Now, data security is personal
Capturing, collecting, and processing data is an element of almost everything we do. Data is entwined in just about every aspect of our business and personal lives.
To protect their clients, employees, and reputations, it is essential that companies develop a culture of data security with their internal team members. As a result, many organizations have already focused on developing programs to protect the security of the information they store.
GDPR requires some additional assurances and processes specifically around managing personal data. Understanding the GDPR requirements and whether your organization is affected by them, will help identify adjustments that organizations need to make to an existing information security program. The steps outlined above will help you support your organization’s readiness to comply with GDPR.
Identifying and inventorying the personal information an organization holds and manages can be a challenging, time-consuming task. EXTEND Resources provides the methodologies and expert resources to examine your information environment and help you prepare for GDPR compliance. For more information, contact Audrey Weinstein, Vice President and General Counsel, at firstname.lastname@example.org or 561-923-8863.